what verison do I need to update For fixing CVE-2023-3635
ya0xu opened this issue · comments
I use version com.squareup.okio:okio:1.14.0 now , what min version do I need to update For fixing CVE-2023-3635
3.4.0. The link that you provided tells you affected versions and the patched version.
I did end up releasing 1.17.6 with this fix. But I recommend everyone upgrade to 3.6.0, it’s got other correctness & performance improvements.
Hi @swankjesse, maven central still lists it as vulnerable
https://mvnrepository.com/artifact/com.squareup.okio/okio/1.17.6
And the security scanner our company uses as part of CI (Nexus Lifecycle) still flags 1.17.6. I reckon other companies scanners will find issues also.
May be a case of false positives, giving it a day or two and going to check again if those get updated and show 1.17.6 as patched, but just for your awareness.
I messaged the JFrog security team who reported the original CVE, and who I believe is the authority on what versions it’s fixed in. I can’t do that myself!
Awesome, thank you 😃