what verison do I need to update For fixing CVE-2023-3635

Question

what verison do I need to update For fixing CVE-2023-3635

ya0xu opened this issue 9 months ago · comments

ya0xu commented 9 months ago

I use version com.squareup.okio:okio:1.14.0 now , what min version do I need to update For fixing CVE-2023-3635

Jake Wharton · Answer 1 · Tue Sep 19 2023 11:28:01 GMT+0800 (China Standard Time)

3.4.0. The link that you provided tells you affected versions and the patched version.

Jesse Wilson · Answer 2 · Mon Oct 02 2023 11:13:51 GMT+0800 (China Standard Time)

I did end up releasing 1.17.6 with this fix. But I recommend everyone upgrade to 3.6.0, it’s got other correctness & performance improvements.

Joey · Answer 3 · Tue Oct 03 2023 00:56:15 GMT+0800 (China Standard Time)

Hi @swankjesse, maven central still lists it as vulnerable
https://mvnrepository.com/artifact/com.squareup.okio/okio/1.17.6

And the security scanner our company uses as part of CI (Nexus Lifecycle) still flags 1.17.6. I reckon other companies scanners will find issues also.

May be a case of false positives, giving it a day or two and going to check again if those get updated and show 1.17.6 as patched, but just for your awareness.

Jesse Wilson · Answer 4 · Tue Oct 03 2023 05:32:33 GMT+0800 (China Standard Time)

I messaged the JFrog security team who reported the original CVE, and who I believe is the authority on what versions it’s fixed in. I can’t do that myself!

Joey · Answer 5 · Tue Oct 03 2023 08:23:04 GMT+0800 (China Standard Time)

Awesome, thank you 😃