clickhouse-jdbc-0.6.0-patch3-all.jar includes CVE-2023-3635

[jjtt]

The included com.squareup.okio:okio should be updated to version 1.17.6 from the current 1.17.5

I have no idea if the vulnerability itself has any effect in this JDBC driver use case, but updating the dependency seems like the easiest solution.

[chernser]

@jjtt Thank you for reporting!

[chernser]

@jjtt
this dependency is related to the GRPC client and GRPC client is going to be deprecated soon.
As I may see this dependency has very old version and only several latest do not have the CVE. So it would require some effort to upgrade to the latest version.
We will handle it later while removing the GRPC client.

[mshustov]

GRPC client has been removed in https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.7.0