Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
How can I know which version of WebRTC did libjingle_peerconnection_so.so build from ?
138 views
Skip to first unread message
asplin...@gmail.com
Nov 13, 2022, 10:55:33 PM11/13/22
to discuss-webrtc
Hi,buddies
The google store detects that I'm using a vulnerable versions of WebRTC use usrsctp,however, usrsctp is not built into libjingle_peerconnection_so.so because I'v dissalbed these features in WebRTC.gni.
1) rtc_enable_sctp=false
2) rtc_build_usrsctp=false
As usrsctp is not built,so how does google store dectect that I'm using a vulnerable versions of WebRTC use usrsctp ??
So I have several questions about this
Question1:
how does google store dectect that I'm using a vulnerable versions of WebRTC use usrsctp ?
- by scanning the symbols in .so ?
- by scanning the meta infos ?
Question2:
Is there a way to know the version of WebRTC that libjingle_peerconnection_so.so is built from ?
In other words,given a specific so file libjingle_peerconnection_so.so ,How can I know that it's built from M91 or M102 ?
Here is the FAQ from google.
asplin...@gmail.com
Nov 17, 2022, 1:03:09 AM11/17/22
to discuss-webrtc
I've filed an issue to WebRTC Issue 14664: usrsctp is not built but detected by goolge play store
Natalie Silvanovich
Nov 19, 2022, 6:43:37 AM11/19/22
to discuss...@googlegroups.com
I've replied to this issue on StackOverflow and the issue above, but I'm going to reply here as well so that this information is available to everyone:
This update is recommended because older versions of WebRTC contain security issues. Users are at risk if this older code continues to be used. The best way to remediate this issue is to update to M102 or later.
When branching an open-source project such as WebRTC, it is important to have a strategy for adopting security updates. This usually involves evaluating each security patch as it is released, then backporting and applying the patch if the underlying issue affects your software. If your WebRTC branch already does this, and is not susceptible to the many security issues that have been reported since M91, please escalate the issue to the Play store using the contact info the warning you received, and it will be considered for an exception. Otherwise, you need to figure out how to remediate the vulnerabilities in your application, either by updating to a newer version of WebRTC or adopting a patching strategy that brings it in line with the current version's security patches.
Note that it is likely that there will be future vulnerabilities reported in WebRTC that could result in Play requiring later versions, so make sure you are prepared to patch or update your WebRTC integration on an ongoing basis. Most third-party software needs to be updated to fix security issues regularly, and WebRTC is no exception, so keep this in mind.
When branching an open-source project such as WebRTC, it is important to have a strategy for adopting security updates. This usually involves evaluating each security patch as it is released, then backporting and applying the patch if the underlying issue affects your software. If your WebRTC branch already does this, and is not susceptible to the many security issues that have been reported since M91, please escalate the issue to the Play store using the contact info the warning you received, and it will be considered for an exception. Otherwise, you need to figure out how to remediate the vulnerabilities in your application, either by updating to a newer version of WebRTC or adopting a patching strategy that brings it in line with the current version's security patches.
Note that it is likely that there will be future vulnerabilities reported in WebRTC that could result in Play requiring later versions, so make sure you are prepared to patch or update your WebRTC integration on an ongoing basis. Most third-party software needs to be updated to fix security issues regularly, and WebRTC is no exception, so keep this in mind.
--
---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/f2bf0050-5657-4b8b-8a98-0e046ff57737n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages