I need to know what version of Freetype being used in my build. I am using Unity 2021.3.34f1 and building for Android.
I have tried looking through some of license and notice files in the Unity installation folder, but I haven’t been able to find anything mentioning a Freetype version. Does anyone know how to find this info?
My binary analysis tool has detected a security vulnerability in my build from Freetype. This is probably a false positive, so I need to know the actual version of Freetype used in my build to clear it.
I dont think we publish it anywhere officially although we sometimes say the version in the release notes when we do an update. 2021.3 is using a customized version of 2.12.1
You can also click Window/Software Licences for info about plugins although it seems to lack the version info for freetype.
If this issue has a security issue then we would need a bug report so we can look into upgrading freetype. The upgrade process can be lengthy as we have several custom changes that have been added over the years and these will need porting, so we try to avoid doing it unless we have to.
Looks like we do publish this information
If you need to find out the version info for a third party tool it can be found in the release notes page, at the very bottom. They’re not generated for every release right now because they require some manual review, though that is the plan.
I would like to know which versions of Unity3d correspond to the versions of mbedtls after 3.0.0. The Android App I developed has been detected with a vulnerability, requiring mbedtls to be version 3.0.0 or above. However, I am not sure which versions of Unity3d meet this requirement. Please answer, thank you.
We’re currently working on updating MbedTLS to 3.6 (the next LTS version). I’d expect this to land in the coming weeks. All supported versions of Unity will be updated, going back to 2021.3.
Out of curiosity, what vulnerability is causing an issue here? I wasn’t aware of any vulnerabilities that are patched in 3.X but for which the fix has not been backported to 2.28.
Thank you very much for your reply.When our in-vehicle infotainment-related applications were reviewed on the relevant security platform, the following error occurred: In Mbed TLS versions prior to 3.1.0, psa_aead_generate_nonce allows policy bypass or oracle-based decryption when the output buffer is located in memory accessible by an untrusted application.
I would like to know the specific situation. Could you provide a more specific date for the update? Thank you very much.
Unfortunately I can’t provide a more specific date because we don’t have one. All I can say is that we’re actively working on it and it’s a priority for us to update the version of MbedTLS as soon as possible. It’s just that the update is requiring more code changes than we expected and getting all of this reviewed and properly tested will take some time. As mentioned above, I’m hopeful that within a few weeks we’ll have updated versions available.
When our in-vehicle infotainment-related applications were reviewed on the relevant security platform, the following error occurred: In Mbed TLS versions prior to 3.1.0, psa_aead_generate_nonce allows policy bypass or oracle-based decryption when the output buffer is located in memory accessible by an untrusted application.
That would be CVE-2021-45451. That’s a tricky one because the affected function (psa_aead_generate_nonce) is not actually present in the 2.28 source (it’s declared but never defined). Nonetheless, Fedora considers it as fixed in version 2.28.1 and the Yocto project indicates that it has been fixed by this backport to version 2.X. Plus we disable the PSA module in our builds of MbedTLS, so I’m confident that Unity is not vulnerable to this issue.
I belive 2021.3 LTS support ended when Unity 6 was released 2021.3 LTS Officially out of support?
Theres also a risk when updating something like freetype at the end of an LTS, if something did go wrong it would be difficult for us to fix when the LTS release cycle is over.
2021.3.51f1 was released Apr 16, 2025, so that’s why it is unclear to me if it is still being supported or not. I guess it ended with 6.1?
If that is the case, this CVE-fix unfortunately missed the last patch by less than a month.
It will hopefully not be a huge issue for us to upgrade some of our legacy projects to 2022, but it does carry significantly more risk than just building with a new patch version.
I would guess many are in the same situation where legacy projects are only updated to fix serious issues and not actively maintained / updated to new major versions.
Totally fair if that is the case, just unfortunate timing.
Can you request an update to the Third Party Licenses for the patches containing the new version (https://unity.com/releases/editor/whats-new/2022.3.62#notes)? Would be nice to have something more official than this forum post to point customers to
