thanks for the report! you also created a github issue <https://github.com/grpc/grpc-java/issues/6725> and PR <https://github.com/grpc/grpc-java/pull/6726>. let's proceed on github.
On Wed, Feb 19, 2020 at 4:00 AM Parkala, Sourabh Sarvotham < [email protected]> wrote: > Hello Team, > > > > We are from Team Phosphor. > > > > We deal with supporting development teams with secure OSS Libraries within > SAP. > > > > We came across a vulnerability CVE-2016-2402([3]). > > > > As per the mvn dependency tree, > > > > | | +- io.grpc:grpc-okhttp:jar:1.17.1:compile > > | | | \- com.squareup.okhttp:okhttp:jar:2.5.0:compile > > > > The com.squareup.okhttp:okhttp:jar:2.5.0 is affected by the above > mentioned CVE. Hence requesting you to resolve that by updating the version > to 2.7.4 as described in [1] > > > > The same concern has been raised in #6725 [2], Also the associated PR [4]. > > > > Requesting you to lets us know when could be the next possible release > date. > > > > We would appreciate it if the version update can also be reflected in > io.grpc:grpc-okhttp:jar:1.17.1 > > > > Best Regards > > Sourabh > > > > [1] > https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/ > > [2] https://github.com/grpc/grpc-java/issues/6725 > > [3] https://nvd.nist.gov/vuln/detail/CVE-2016-2402 > > [4] https://github.com/grpc/grpc-java/pull/6726 > > -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/AM0PR02MB4515AAF8190A4D7FAA999672AA100%40AM0PR02MB4515.eurprd02.prod.outlook.com > <https://groups.google.com/d/msgid/grpc-io/AM0PR02MB4515AAF8190A4D7FAA999672AA100%40AM0PR02MB4515.eurprd02.prod.outlook.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CABu9Gjo5NOPR-%2BVxqVqcDZGk4R8iiy-Lrojs8mWRwYqwF9%3D1zQ%40mail.gmail.com.
