av_libglesv2.dll and ibSkiaSharp.dll reference an outdayed zlib and libjpeg-turbo

[SergeyGulik]

Is your feature request related to a problem? Please describe.

Our security scan complains about two things:

• runtimes/win-x64/native/av_libglesv2.dll uses zlib.dll of version 1.2.11, recommended is 1.3.1
• runtimes/win-x64/native/libSkiaSharp.dll uses libjpeg-turbo.dll of version 2.1.5, recommended is 3.0.0.
  Yes, you do not distribute these dlls :) But the security scan still complains.

Describe the solution you'd like

May I ask you to update av_libglesv2.dll and ibSkiaSharp.dll to the latest versions in one of your upcoming releases? Hopefully, their vendors have already addressed the issues and use the newest zlib and libjpeg-turbo.

Describe alternatives you've considered

No response

Additional context

No response

[timunie]

11.1 beta can be used with SkiaSharp 3, but we can only support it for 12.0 completely due to breaking changes.

[stevemonaco]

SkiaSharp's update of libjpeg-turbo is blocked by a potential upstream bug: mono/SkiaSharp#2667 (comment) . The comment includes some details and how the vulnerable feature isn't actually part of the SkiaSharp build.

Avalonia does ship its own ANGLE lib which seems to be on zlib 1.2.13. The current upstream main is on 1.3.0.1, so even if it's updated on Avalonia's end, it won't be 1.3.1.