-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-0341 #6724
Comments
This was reported upstream to AOSP/Conscrypt after being fixed in OkHttp See https://github.com/square/okhttp/pull/6353/files which is in 4.9.1 https://android.googlesource.com/platform/external/okhttp/+/ddc934efe3ed06ce34f3724d41cfbdcd7e7358fc Possibly we could backport to 3.12.x. cc @swankjesse |
@yschimke Are you sure this fix make it into 4.9.1? Base on this https://github.com/square/okhttp/blob/parent-4.9.1/okhttp/src/main/kotlin/okhttp3/internal/tls/OkHostnameVerifier.kt. I don't see the below fix in verify() line 40 in 4.9.1. If this fix can be backport to 3.12.x, that will be really great. |
We discussed this the first time it went around. One problem with this CVE is that it considers this class in isolation. In OkHttp we guard against non-ASCII inputs elsewhere so they never reach this function. In practice the only way to exploit this is to use this function directly from application code, which is very unlikely. Regardless my experience has been it's easier to ship patches than to explain why they're unnecessary. So sure, let's do a round of patch releases. |
@swankjesse Thank you for the detail response this regard. |
This was released with 4.9.2. |
Is this included in 4.10.x? |
Yes. |
I am using |
You are right, and sorry about that. But critically 4.10 was never released and superseded by OkHttp 5. Either use 4.9.3 or 5 alphas (but new APIs may change). |
Thank you for explaining. I found this in a dependency, so I'll report it to them |
Did you decide not to backport this to 3.x? |
Correct - those are no longer maintained versions. |
4.10 is released and it is still being detected as a vulnerability |
Regarding CVE-2021-0341 - https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection
Base on NexusIQ reporting, this is a high severity issue with verifyHostName of OkHostnameVerifier.java seems to impact all current version of okhttp v3.x and v4.x. The only okhttp version didn't have this issue in v5.0.0-alpha.2.
Would there be patch release on okhttp v3x. or v4.x to have similar changes as
https://android.googlesource.com/platform/external/okhttp/+/ddc934efe3ed06ce34f3724d41cfbdcd7e7358fc
The text was updated successfully, but these errors were encountered: