Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sec Vuln: com.squareup.okio:okio:1.17.2 #170

Closed
ALRubinger opened this issue Feb 15, 2024 · 5 comments
Closed

Sec Vuln: com.squareup.okio:okio:1.17.2 #170

ALRubinger opened this issue Feb 15, 2024 · 5 comments
Assignees
@ALRubinger

Comments

@ALRubinger
Copy link
Contributor

From https://github.com/TBD54566975/tbdex-kt/actions/runs/7914128770/job/21603230799?pr=165#step:4:35:

⚑ Critical vulnerability detected on com.squareup.okio:okio@1.17.2
  CVE ID: CVE-2023-36[35](https://github.com/TBD54566975/tbdex-kt/actions/runs/7914128770/job/21603230799?pr=165#step:4:36)
  Fixed in: 1.17.6

Force resolution to recommended; test this doesn't introduce other issues in the testsuite.
@ALRubinger ALRubinger self-assigned this Feb 15, 2024
@ALRubinger ALRubinger moved this to In Progress in SDK Development Feb 15, 2024
@ALRubinger
Copy link
Contributor Author

Confirmed before:

./gradlew -q dependencyInsight --dependency com.squareup.okio:okio --configuration tCC -p httpserver
com.squareup.okio:okio:1.17.2

@ALRubinger
Copy link
Contributor Author

Going to use 3.6.0 here to align with the recommendations made and implemented for web5-kt, as well as the resolved classpaths elsewhere in this project:

https://scans.gradle.com/s/rdmyr7k3vuvmo/dependencies?dependencies=okio&expandAll

image

@ALRubinger
Copy link
Contributor Author

Confirmed after:

./gradlew -q dependencyInsight --dependency com.squareup.okio:okio --configuration tCC -p httpserver
com.squareup.okio:okio:3.6.0 (forced)

ALRubinger added a commit that referenced this issue Feb 15, 2024
@ALRubinger
Issue #170: Address sec vuln in com.squareup.okio:okio
c436d3a 
* Force resolution to upgrade to 3.6.0
@ALRubinger
Copy link
Contributor Author

Part of PR #165

@ALRubinger ALRubinger mentioned this issue Feb 15, 2024
Merged
@ALRubinger ALRubinger moved this from 🏗 In progress to 👀 In review in (OLD) Open Source Programs Engineering Feb 15, 2024
ALRubinger added a commit that referenced this issue Feb 17, 2024
@ALRubinger
Issue #170: Address sec vuln in com.squareup.okio:okio
d4cb1f3 
* Force resolution to upgrade to 3.6.0
@ALRubinger ALRubinger moved this from In Progress to In Code Review in SDK Development Feb 17, 2024
jiyoonie9 pushed a commit that referenced this issue Feb 21, 2024
@ALRubinger
Issue #170: Address sec vuln in com.squareup.okio:okio
bcc15af 
* Force resolution to upgrade to 3.6.0
@ALRubinger
Copy link
Contributor Author

Done in PR #165

@github-project-automation github-project-automation bot moved this from In Code Review to Done in SDK Development Feb 21, 2024
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in (OLD) Open Source Programs Engineering Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ALRubinger ALRubinger

Labels
None yet
Projects
SDK Development
Status: Done
(OLD) Open Source Programs Engineering
Status: ✅ Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ALRubinger