Closed keruitan-wk closed 2 years ago
The dependency on kotlin-stdlib comes from the com.squareup.okhttp3:okhttp
dependency.
Currently the com.squareup.okhttp3:okhttp
dependency is version 4.8.0.
Version 4.8.0 uses Kotlin version 1.3.72
To address the CVE we need to raise the Kotlin version to 1.4.21.
The highest Kotlin version used by a 4.x update of the com.squareup.okhttp3:okhttp
dependency is 1.4.10 which would not address the CVE.
The latest alpha version (5.x) of the com.squareup.okhttp3:okhttp
dependency uses Kotlin version 1.4.21 which would address the CVE. When the 5.x version is released we should update, hopefully, the major version changes aren't too much.
We checked in on this again. The Okhttp3 project still needs to update to kotlin 1.4.21. Looks like it is planned for version 5, which is still in Alpha.
Unclear why the issue has been closed:
https://github.com/square/okhttp/issues/6219
https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp
There is a newer 4.x version of okhttp3 now that has an updated Kotlin library that resolves the vulnerability:
https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.10.0
Could that be used instead while waiting on 5.x?
We'll look into getting this updated. Thanks @christrotteradhoc !
This will be addressed in the telemetry sdk v0.15.0 release as soon as it is out.
Hello, There is a CVE (CVE-2020-29582) in the
kotlin-stdlib
version 1.3.72 package that is fixed in version 1.4.21. The latest New Relictelemetry-http-okhttp
package (0.12.0) still has a dependency onkotlin-stdlib
version 1.3.72 based on themvn dependency:tree
output below. Couldtelemetry-http-okhttp
be updated to use version 1.4.21 of thekotlin-stdlib
package?