Upgrade OkHttp to resolve CVE-2023-3635

Question

Upgrade OkHttp to resolve CVE-2023-3635

guillermoAMS opened this issue a year ago · 1 comments

Turbo v7.1.2 uses com.squareup.okhttp3:okhttp:4.11.0 which in turn has the compile dependency com.squareup.okio:okio:3.2.0. (https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.11.0).

The CVE-2023-3635 reported a vulnerability on Okio v3.2.0 to a DoS. The issue was fixed at Okio v3.4.0 and the lates version of OkHttp (which is v4.12.0) uses Okio v3.6.0.

Can we get a bump to com.squareup.okhttp3:okhttp:4.120?

Answer 1 · 2024-04-17T21:12:38.000Z

Hi!

I don't know when this upgrade will take effect, and I guess it will eventually.

In the meantime, if you have any concerns, maybe you address them by overriding transitive dependency versions in your build.gradle file.