-
Notifications
You must be signed in to change notification settings - Fork 40.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No support for okio 3.4 in 2.7.x #36450
Comments
It's hard to tell without a complete stack trace, but it appears that the incompatibility is between OkHttp's Given the above, I think this is really out of Spring Boot's control. 2.7.x uses OkHttp 4.9.x by default and we won't upgrade to a new minor version of OkHttp in a maintenance release of Spring Boot. Assuming that new minors of OkHttp have not broken backwards compatibility, you should be able to override Boot's dependency management to use a version of OkHttp that meets your needs. If you haven't already, please try to do so. |
As far as I know, there is no 4.9.11 release. On Maven Central, 4.9.3 is the latest 4.9.x release. |
From here I can see 4.11 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp-bom |
Let me uplift the okhttp along with okio and reach out to you.. |
Yes, that's 4.11.0 which, going by |
Confirmed okhttp 4.11 doesn't support okio 3.4.0. I have tested it. Thanks @wilkinsona for your time. There is an issue raised to okhttp team square/okhttp#7944 |
Thanks for following up. This will have to be addressed by the maintainers of okio and okhttp. |
…3-3635 Upgrade okio-jvm from 3.0.0 to 3.4.0 fixing a Denial of Service (DoS) vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 A minor version bump is needed for this security fix. Upstream projects don't do a minor version bump, this must be done by FOLIO. It's compatible. square/okhttp#7944 square/okhttp#7994 spring-projects/spring-boot#36450
Describe the bug
Recently a CVE is reported for okio version <3.4.0 CVE-2023-3635
To resolve this CVE, we wanted to override the okio version to 3.4.0. But spring doesn't support it it seems.
Sample
Error that we are getting:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'okHttpClientBuilder' defined in class path resource [org/springframework/cloud/commons/httpclient/HttpClientConfiguration$OkHttpClientConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer
We can see that it's coming from okhttp3 which is pulled by spring. Is it possible to provide support for okio 3.4 (probabbly uplifting okhttp3 to 4.9.11 might support??)
The text was updated successfully, but these errors were encountered: