Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clickhouse-jdbc-0.6.0-patch3-all.jar includes CVE-2023-3635 #1585

Open
jjtt opened this issue Apr 4, 2024 · 2 comments
Open

clickhouse-jdbc-0.6.0-patch3-all.jar includes CVE-2023-3635 #1585

jjtt opened this issue Apr 4, 2024 · 2 comments
Assignees
@chernser
Labels
dependencies Pull requests that update a dependency file

Comments

@jjtt
Copy link

jjtt commented Apr 4, 2024

The included com.squareup.okio:okio should be updated to version 1.17.6 from the current 1.17.5

I have no idea if the vulnerability itself has any effect in this JDBC driver use case, but updating the dependency seems like the easiest solution.
@jjtt jjtt added the bug label Apr 4, 2024
@chernser
Copy link
Contributor

chernser commented Apr 4, 2024

@jjtt Thank you for reporting!

@chernser chernser self-assigned this Apr 4, 2024
@chernser
Copy link
Contributor

chernser commented Apr 8, 2024

@jjtt
this dependency is related to the GRPC client and GRPC client is going to be deprecated soon.
As I may see this dependency has very old version and only several latest do not have the CVE. So it would require some effort to upgrade to the latest version.
We will handle it later while removing the GRPC client.

@chernser chernser added dependencies Pull requests that update a dependency file and removed bug labels Apr 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chernser chernser

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chernser @jjtt