Request to address issue #6725

21 views

Skip to first unread message

Parkala, Sourabh Sarvotham

unread,

Feb 19, 2020, 7:00:35 AM2/19/20

to grp...@googlegroups.com, DL Phosphor Team Core

Hello Team,

We are from Team Phosphor.

We deal with supporting development teams with secure OSS Libraries within SAP.

We came across a vulnerability CVE-2016-2402([3]).

As per the mvn dependency tree,

| | +- io.grpc:grpc-okhttp:jar:1.17.1:compile

| | | \- com.squareup.okhttp:okhttp:jar:2.5.0:compile

The com.squareup.okhttp:okhttp:jar:2.5.0 is affected by the above mentioned CVE. Hence requesting you to resolve that by updating the version to 2.7.4 as described in [1]

The same concern has been raised in #6725 [2], Also the associated PR [4].

Requesting you to lets us know when could be the next possible release date.

We would appreciate it if the version update can also be reflected in io.grpc:grpc-okhttp:jar:1.17.1

Best Regards

Sourabh

[1] https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability/

[2] https://github.com/grpc/grpc-java/issues/6725

[3] https://nvd.nist.gov/vuln/detail/CVE-2016-2402

[4] https://github.com/grpc/grpc-java/pull/6726

Jihun Cho

unread,

Feb 19, 2020, 1:19:10 PM2/19/20

to Parkala, Sourabh Sarvotham, grp...@googlegroups.com, DL Phosphor Team Core

thanks for the report! you also created a github issue and PR. let's proceed on github.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/AM0PR02MB4515AAF8190A4D7FAA999672AA100%40AM0PR02MB4515.eurprd02.prod.outlook.com.

Reply all

Reply to author

Forward

0 new messages