Is Okhttp3 compatible with the latest version of the Okio artifact? #7994
Comments
|
Yes. Okio is strictly semantically versioned. Raise a bug if it fails. |
julianladisch
added a commit
to folio-org/folio-spring-support
that referenced
this issue
Sep 22, 2023
…3-3635 Upgrade okio-jvm from 3.0.0 to 3.4.0 fixing a Denial of Service (DoS) vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 A minor version bump is needed for this security fix. Upstream projects don't do a minor version bump, this must be done by FOLIO. It's compatible. square/okhttp#7944 square/okhttp#7994 spring-projects/spring-boot#36450
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The last version of the Okhttp 3, the version v3.14.9, uses Okio version 1.17.2.
Okio 1.17.2 has been marked vulnerable with the vulnerability :- https://nvd.nist.gov/vuln/detail/CVE-2023-3635
Hence, we're planning to upgrade to the latest Okio version 3.5.0. But we currently don't need to upgrade okhttp3, and hence we don't want to. Since Upgrading okhttp 3 to Okhttp 4 seems to have additional challenges, we want to stick to okhttp 3 for now.
The query I have is that if we keep using okhttp 3, and upgrade okio to the latest version 3.5.0, would there be a compatibility issue between okhttp3 and okio? Currently we use okhttp 3.13.0 in our application.
The text was updated successfully, but these errors were encountered: