what verison do I need to update For fixing CVE-2023-3635

[ya0xu]

I use version com.squareup.okio:okio:1.14.0 now , what min version do I need to update For fixing CVE-2023-3635

[JakeWharton]

3.4.0. The link that you provided tells you affected versions and the patched version.

[swankjesse]

I did end up releasing 1.17.6 with this fix. But I recommend everyone upgrade to 3.6.0, it’s got other correctness & performance improvements.

[djq183u]

Hi @swankjesse, maven central still lists it as vulnerable
https://mvnrepository.com/artifact/com.squareup.okio/okio/1.17.6

And the security scanner our company uses as part of CI (Nexus Lifecycle) still flags 1.17.6. I reckon other companies scanners will find issues also.

May be a case of false positives, giving it a day or two and going to check again if those get updated and show 1.17.6 as patched, but just for your awareness.

[swankjesse]

I messaged the JFrog security team who reported the original CVE, and who I believe is the authority on what versions it’s fixed in. I can’t do that myself!

[djq183u]

Awesome, thank you 😃