Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade com.squareup.okhttp3:okhttp libraries to >= 4.9.2 due to critical security vulnerability #711

Open
anbangz opened this issue Jul 25, 2022 · 2 comments

Comments

@anbangz
Copy link

anbangz commented Jul 25, 2022

Description of vulnerability here: square/okhttp#6738

Snyk vulnerability here: https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044

I believe the

  • com.squareup.okhttp3:logging-interceptor
  • com.squareup.okhttp3:okhttp-urlconnection:3.12.12
  • com.squareup.retrofit2:retrofit:2.6.4

libraries will also have to be upgraded, as they take transitive dependencies on com.squareup.okhttp3:okhttp:3.12.12

@kpytlar
Copy link

kpytlar commented Sep 7, 2023

Checking in here - any plans to mitigate this vulnerability?

@weidongxu-microsoft
Copy link
Member

Almost all client lib that depends on autorest-clientruntime-for-java was deprecated.

If you still use these libs (usually namespace with "com.microsoft.azure.", please consider migrate to new client lib ("com.azure.").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants