CVE-2021-0341: Use of old (non-maintained) okhttp

[mrwilby]

The tea library is a transitive dependency of some other aliyun libraries which my company uses.

Unfortunately, this library is using a non-maintained version of okhttp which has a known security vulnerability disclosure:

https://nvd.nist.gov/vuln/detail/CVE-2021-0341

The dependency is from here:
https://github.com/aliyun/tea-java/blob/master/pom.xml#L68

The maintainers of okhttp indicate that they will not patch the v3 library with a correction. However, the more recent 4.x series has been fixed.

Can this library be upgraded and then re-released using okhttp v4 or newer?

[mrwilby]

New vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

[mrwilby]

New vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-0833

[ErkangXu]

Can we please update the dependency?

[JohnNiang]

Request to upgrade okhttp up to 4.9.2.

[yndu13]

Feat: Upgrade the OkHttp version #243 merged.