Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2022-24329 #7217

Closed
catap opened this issue Apr 6, 2022 · 11 comments
Closed

Fix CVE-2022-24329 #7217

catap opened this issue Apr 6, 2022 · 11 comments
Labels
bug Bug in existing code
Milestone
4.10

Comments

@catap
Copy link

catap commented Apr 6, 2022

To fix CVE-2022-24329 Kotlin should be updated to 1.6.0.

The last stable release 4.9.3 uses 1.4.10 which is vulnerable to this CVE.

Is it possible to used Kotlin version on stable branch and release 4.9.4?

Thanks!
@catap catap added the bug Bug in existing code label Apr 6, 2022
@catap catap mentioned this issue Apr 6, 2022
Closed
@JakeWharton
Copy link
Member

That CVE is for the compiler and only for Kotlin/JS targets. Since the released artifacts are already built they are not susceptible. Since we are not using Kotlin/JS we are also not susceptible.

@yschimke yschimke closed this as completed Apr 6, 2022
@catap
Copy link
Author

catap commented Apr 6, 2022

@JakeWharton yes, but this CVE triggers a lot of scanners at some unexpected places.

for example the last release of akka discovere for consul depends on this project.

@yschimke
Copy link
Collaborator

yschimke commented Apr 6, 2022

I'll reopen to discuss

@yschimke yschimke reopened this Apr 6, 2022
@catap
Copy link
Author

catap commented Apr 6, 2022
edited

@yschimke thanks. From my point of view such update should be quite minor and costs simple release old (stable?) version which make a lot of security scanners happy, allow to avoid ugly exclusion in in dependencies and possible ABI incompatibility in runtime.

@swankjesse
Copy link
Member

swankjesse commented Apr 6, 2022
edited

I'm extremely uncomfortable making a patch release that changes a transitive dependency to a new minor version. It's a big violation of semver. A better fix would be 4.10.0, or 5.0.0.

We're not done 5.0.0, so it'd have to be 4.10.0.

@yschimke
Copy link
Collaborator

yschimke commented Apr 6, 2022
edited

4.10.0 might be a good point to make the transition to 5.0 slightly less of a jump. Take the Kotlin 1.6.20 hit now.

Regardless my experience has been it's easier to ship patches than to explain why they're unnecessary. So sure, let's do a round of patch releases.

@JakeWharton
Copy link
Member

It's pretty ridiculous that every project in the world needs to update their Kotlin version despite the fact that this only applies to build tools not shipped artifacts because of some broken CVE scanning tool.

I vote do nothing in protest.

@catap
Copy link
Author

catap commented Apr 6, 2022

@JakeWharton the root cause this issue that Kotlin made a fix for CVE only for one, the next, release without of any attempt to backport it to older version which is widely used.

Unfortunately this is a usual behaviour and a few days ago Scala.JS released a new version to fix CVE-2022-28355 which brokes a lot of things :(

@yschimke
Copy link
Collaborator

Will be in a 4.10 - #7230

@swankjesse
Copy link
Member

https://square.github.io/okhttp/changelogs/changelog_4x/#version-4100

@swankjesse swankjesse added this to the 4.10 milestone Jun 12, 2022
@crbean
Copy link

crbean commented Jul 21, 2022

Does the vulnerability(CVE-2022-24329) affect okhttp(4.9.3)?

According to the vulnerability description, I understand that the problem lies in the build phase. The constructed okhttp should not be affected.

@Eyal-G Eyal-G mentioned this issue Sep 5, 2022
Closed
This was referenced Jan 16, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Bug in existing code
Projects
None yet
Milestone
4.10
Development

No branches or pull requests
5 participants
@catap @JakeWharton @swankjesse @yschimke @crbean