Hello Team, We are from Team Phosphor.
We deal with supporting development teams with secure OSS Libraries within SAP. We came across a vulnerability CVE-2016-2402([3]). As per the mvn dependency tree, | | +- io.grpc:grpc-okhttp:jar:1.17.1:compile | | | \- com.squareup.okhttp:okhttp:jar:2.5.0:compile The com.squareup.okhttp:okhttp:jar:2.5.0 is affected by the above mentioned CVE. Hence requesting you to resolve that by updating the version to 2.7.4 as described in [1] The same concern has been raised in #6725 [2], Also the associated PR [4]. Requesting you to lets us know when could be the next possible release date. We would appreciate it if the version update can also be reflected in io.grpc:grpc-okhttp:jar:1.17.1 Best Regards Sourabh [1] https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/ [2] https://github.com/grpc/grpc-java/issues/6725 [3] https://nvd.nist.gov/vuln/detail/CVE-2016-2402 [4] https://github.com/grpc/grpc-java/pull/6726 -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/AM0PR02MB4515AAF8190A4D7FAA999672AA100%40AM0PR02MB4515.eurprd02.prod.outlook.com.
