CVE-2020-15824 vulnerability in Okhttp #6219
Comments
|
OkHttp does not use Kotlin's scripting. That being said, Kotlin 1.4 has not been released, but yes, we will upgrade when it's available.
…On Tue, Aug 11, 2020, at 7:25 AM, johannesJemstep wrote:
Our Dependency check software flagged the following dependency in Okhttp CVE-2020-15824 <https://nvd.nist.gov/vuln/detail/CVE-2020-15824>. We wanted to log this as a vulnerability, but your policy states "Issues related to software not under our control (such as external dependencies)".
We noted that this vulnerability was fixed in Kotlin V1.4 <https://blog.jetbrains.com/blog/2020/08/06/jetbrains-security-bulletin-q2-2020/>, but Okhttp is using 1.3.72 <https://github.com/square/okhttp/blob/master/build.gradle>. Are there any plans to upgrade Kotlin?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#6219>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAQIEP2XPSMJ7IA6UN2TODSAETBLANCNFSM4P25Z4HA>.
|
Thanks for the reply @JakeWharton. I will close this issue then, seeing that an upgrade to Kotlin 1.4 will happen when its released. |
|
Unfortunately OkHttp CVE-2020-29582 should be fixed in Kotlin version Dependency graph from IntelliJ: |
Our Dependency check software flagged the following dependency in Okhttp CVE-2020-15824. We wanted to log this as a vulnerability, but your policy states "Issues related to software not under our control (such as external dependencies)".
We noted that this vulnerability was fixed in Kotlin V1.4, but Okhttp is using 1.3.72. Are there any plans to upgrade Kotlin?
The text was updated successfully, but these errors were encountered: