Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Upgrade OkHttp to resolve CVE-2023-3635 #328

Closed
guillermoAMS opened this issue Apr 6, 2024 · 1 comment · Fixed by #332
Closed

Upgrade OkHttp to resolve CVE-2023-3635 #328

guillermoAMS opened this issue Apr 6, 2024 · 1 comment · Fixed by #332

Comments

@guillermoAMS
Copy link

Turbo v7.1.2 uses com.squareup.okhttp3:okhttp:4.11.0 which in turn has the compile dependency com.squareup.okio:okio:3.2.0. (https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.11.0).

The CVE-2023-3635 reported a vulnerability on Okio v3.2.0 to a DoS. The issue was fixed at Okio v3.4.0 and the lates version of OkHttp (which is v4.12.0) uses Okio v3.6.0.

Can we get a bump to com.squareup.okhttp3:okhttp:4.120?
@felipejoglar
Copy link

Hi!

I don't know when this upgrade will take effect, and I guess it will eventually.

In the meantime, if you have any concerns, maybe you address them by overriding transitive dependency versions in your build.gradle file.

@jayohms jayohms mentioned this issue Apr 29, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump OkHttp to 4.12.0 hotwired/turbo-android
2 participants
@felipejoglar @guillermoAMS