A new 4.x version of okhttp is needed with the okio upgrade #7946
Labels
enhancement
Feature not a bug
Comments
1 task
|
Dupe of #7944 |
|
@JakeWharton Could you please re-open this issue, until a new version is released. I observed that #7944 is closed. But this issue is w.r.t new version. So I would request you to please keep it open until a new version is released. Thank you ! |
|
@JakeWharton I agree with @KritiRajput, is there a target date for the new release? |
|
I do not work on the project in a capacity to provide such updates. I'm just triaging the duplicates to help out. |
|
There is also a 4.x bump here #7947, But waiting on a release. If it's really blocking you, you can bump Okio yourself. You will not be vulnerable after that. Are the tools flagging against your project even when you depend on the latest version of Okio? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
According to https://square.github.io/okhttp/security/security/, only 4.x and 5.x are actively supported.
When looking at the different okhttp changelog (https://square.github.io/okhttp/changelogs/changelog/), it does not seem that there is any version using the okio 3.4.0 9 (even in the 5.x alpha releases).
A PR has been merged in the okhttp master branch to do the upgrade (#7932) but it is included in any of the actual releases yet.
This new version is required to resolve security vulnerability CVE-2023-3635.
If a backport to 3.x or even 2.x is possible then that would be really great.
The text was updated successfully, but these errors were encountered: