Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

为何maven 有些包这老旧也不更新,而且还是有高危的包 #224

Open
damonflycloud opened this issue Apr 10, 2024 · 3 comments
Open

为何maven 有些包这老旧也不更新,而且还是有高危的包 #224

damonflycloud opened this issue Apr 10, 2024 · 3 comments

Comments

@damonflycloud
Copy link

为何maven 有些包这老旧也不更新,而且还是有高危的包,例如okhttp 包 ,项目还是用的3.x的版本, 这个版本有高危漏洞的,官方难道就不准备升级一下么
@zqfan
Copy link
Member

zqfan commented Apr 13, 2024
edited
Loading

当时选这个版本是因为继续往上升级有兼容性问题,并且看https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp 这里并未标记此版本有风险,麻烦贴一下看到的高危漏洞链接哈,我们看下怎么处理

@damonflycloud
Copy link
Author

image 如图所示,这个版本的okhttp会存在[CVE-2023-3635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3635) 漏洞

@sanyecao2314
Copy link

同问,这些官方能否升级掉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zqfan @damonflycloud @sanyecao2314