Since more one year ago, I try to have more security in Jitsi products, can you solve it?

First ticket about it: https://github.com/jitsi/jitsi/issues/562.

CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html

My first PR for Jitsi, edited several time release after release (Bouncy Castle 1.65 instead of 1.54): https://jitsi/jitsi/pull/564

My PR for libjitsi (Bouncy Castle 1.65 instead of 1.54): https://jitsi/libjitsi/pull/522

My PR for jitsi-media-transform (Bouncy Castle 1.65 instead of 1.61): https://jitsi/jitsi-media-transform/pull/253

Thanks in advance.

Who can help the Jitsi project to do not use this library without CVEs?

Who can test and inform if it is good or not?

A lot of other tickets about Bouncy Castle and Jitsi:

• https://github.com/jitsi/jitsi/issues/562

• https://github.com/jitsi/jitsi/pull/564

• https://github.com/jitsi/bccontrib/pull/3

• https://github.com/jitsi/jitsi-srtp/pull/13

• https://github.com/jitsi/libjitsi/pull/522

• https://github.com/jitsi/jitsi-hammer/issues/36

• https://github.com/jitsi/jitsi-media-transform/pull/253

• https://github.com/jitsi/jigasi/pull/259

• https://github.com/jitsi/otr4j/pull/32

• https://github.com/jitsi/zrtp4j/pull/3

• https://github.com/search?p=1&q=org%3Ajitsi+Bouncy+Castle&type=Issues

Thanks in advance.

Likewise for jetty which can be updated to 9.4.28.v20200408 or later.

By the way, jvb and jicofo seem to be working with bc 1.65 and jetty components at 9.4.28.v20200408, but I don’t know if they’re being used.