what verison do I need to update For fixing CVE-2023-3635 #1350
Comments
|
3.4.0. The link that you provided tells you affected versions and the patched version. |
|
I did end up releasing 1.17.6 with this fix. But I recommend everyone upgrade to 3.6.0, it’s got other correctness & performance improvements. |
|
Hi @swankjesse, maven central still lists it as vulnerable And the security scanner our company uses as part of CI (Nexus Lifecycle) still flags 1.17.6. I reckon other companies scanners will find issues also. May be a case of false positives, giving it a day or two and going to check again if those get updated and show 1.17.6 as patched, but just for your awareness. |
|
I messaged the JFrog security team who reported the original CVE, and who I believe is the authority on what versions it’s fixed in. I can’t do that myself! |
|
Awesome, thank you 😃 |
I use version com.squareup.okio:okio:1.14.0 now , what min version do I need to update For fixing CVE-2023-3635
The text was updated successfully, but these errors were encountered: