Okhttp: CVE-2020-29582 due to old version of Okhttp (Squareup)

[moritzluedtke]

When running the OWASP dependency check in a project with okhttp in its dependencies the OWASP check finds the following two vulnerabilities:

kotlin-stdlib-1.3.71.jar: CVE-2020-29582
kotlin-stdlib-common-1.3.70.jar: CVE-2020-29582

According to the NVD (link to CVE-2020-29582) the fix should be present in version 1.4.21 onwards.

The two libraries are used by Okhttp from Squareup.

Feign Okhttp 11.6 uses Okhttp (Squareup) 4.6.0 (April 2020). So this could have already been fixed in Okhttp.

[moritzluedtke]

I'll see if I can work on a fix myself (never worked on Feign before). But I would guess it could be as simple as a dependency update (best case).

[moritzluedtke]

I wanted to test the dependency update locally but couldn't run mvn install on the core submodule (which seems to be needed to build okhttp) successfully due to:

[ERROR] Failed to execute goal com.github.ekryd.sortpom:sortpom-maven-plugin:2.8.0:sort (format) on project feign-core: Could not find /Users/mluedtke/Workspace/github/feign-forked/core/src/config/pomSortOrder.xml or src/config/pomSortOrder.xml in classpath -> [Help 1]

Maybe someone could help me test it locally or verify the change. I pushed it to this branch in my fork. Only this one line changed:
https://github.com/moritzluedtke/feign/blob/CVE-2020-29582/pom.xml#L77

[vitalijr2]

I wanted to test the dependency update locally but couldn't run mvn install on the core submodule (which seems to be needed to build okhttp) successfully due to:

[ERROR] Failed to execute goal com.github.ekryd.sortpom:sortpom-maven-plugin:2.8.0:sort (format) on project feign-core: Could not find /Users/mluedtke/Workspace/github/feign-forked/core/src/config/pomSortOrder.xml or src/config/pomSortOrder.xml in classpath -> [Help 1]

Maybe someone could help me test it locally or verify the change. I pushed it to this branch in my fork. Only this one line changed: https://github.com/moritzluedtke/feign/blob/CVE-2020-29582/pom.xml#L77

I have tested it locally: the build is successful.

@moritzluedtke if you create pull request, the github workflow checks any building errors.

[velo]

I made a PR for it, seems fine on my computer, let's see what is CI opinion
#1518

[moritzluedtke]

Thank you @radio-rogal and @velo for taking a look at this and fixing it! Do you have an estimate on when the new version will be released?

[moritzluedtke]

Unfortunately this is still an issue with 11.7.
But this should be fixed by the OkHttp team at square up. I commented on this issue:
square/okhttp#6219