Update okhttp version from 2.5.0 to 2.7.4

[sourabhsparkala]

This update of com.squareup.okhttp:okhttp:jar version from 2.5.0 to 2.7.4 would help resolve a reported vulnerability CVE-2016-2402

It would help us a great deal, if you can update the version
As shown in the mvn tree

| | +- io.grpc:grpc-okhttp:jar:1.17.1:compile
| | | \- com.squareup.okhttp:okhttp:jar:2.5.0:compile

Also, we would appreciate it if you can let us know, whether it possible to do a quick release as early as possible.

Requesting you to downport the com.squareup.okhttp:okhttp:jar version fix update to io.grpc:grpc-okhttp:jar:1.17.1 as well

[ericgribkoff]

gRPC Java uses very little of the internals of okhttp; in particular, we do not use OkHttp's certificate pinning so this vulnerability does not apply to gRPC Java users. Please see the discussion from #6119 (comment) for more details around what (minimal) parts of OkHttp we actually use.

[sourabhsparkala]

gRPC Java uses very little of the internals of okhttp; in particular, we do not use OkHttp's certificate pinning so this vulnerability does not apply to gRPC Java users. Please see the discussion from #6119 (comment) for more details around what (minimal) parts of OkHttp we actually use.

Thank you for the clarification 👍

[creamsoup]

upgraded is done vis #6726, as discussed above and in the PR. we don't need to patch release this fix because grpc-okhttp is not affected by the linked CVE.