Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address CVE-2023-3635 #8050

Closed
mateusbandeiraa opened this issue Oct 9, 2023 · 5 comments
Closed

Address CVE-2023-3635 #8050

mateusbandeiraa opened this issue Oct 9, 2023 · 5 comments
Labels
bug Bug in existing code

Comments

@mateusbandeiraa
Copy link

The current version of Okhttp (4.11.0) ships with a vulnerable version of Okio (CVE-2023-3635). I noticed that the current master branch already has a newer version that is not vulnerable.

Please publish a new Okhttp version so the library doesn't ship with a vulnerable dependency anymore.
@mateusbandeiraa mateusbandeiraa added the bug Bug in existing code label Oct 9, 2023
@yschimke
Copy link
Collaborator

yschimke commented Oct 9, 2023

Yep, that's the plan.

But it isn't blocking you, you can specify a higher okio version in your build to fix the issue. If it continues to warn it's broken audits.

But release will happen, just when ready.

@yschimke
Copy link
Collaborator

yschimke commented Oct 9, 2023

Closing as a dupe

@spaultownsend
Copy link

Does anyone have a guess when a new 4.x release might be released?

@swankjesse
Copy link
Collaborator

I’d like to do a release in the next 7 days.

@lukewpatterson lukewpatterson mentioned this issue Oct 17, 2023
Closed
@yschimke
Copy link
Collaborator

4.12.0 released

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Bug in existing code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@swankjesse @yschimke @spaultownsend @mateusbandeiraa