Upgrade okio to resolve security vulnerability

[cowwoc]

Describe the bug

Dependency maven:com.squareup.okio:okio:1.15.0 is vulnerable

Upgrade to 3.4.0

GHSA-w33c-445m-f8w7, Score: 5.9

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Read More: https://osv.dev/vulnerability/GHSA-w33c-445m-f8w7

Results powered by OSV

Fabric8 Kubernetes Client version

SNAPSHOT

Steps to reproduce

Adds dependency to pom.xml:

<dependency>
  <groupId>io.fabric8</groupId>
  <artifactId>kubernetes-client</artifactId>
</dependency>

IntelliJ warns about the aforementioned vulnerability

Expected behavior

Upgrade to version 3.4.0 or higher to resolve the vulnerability

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.25.3@latest

Environment

Windows, Linux, macOS

Fabric8 Kubernetes Client Logs

N/A

Additional context

No response

[cowwoc]

Yeesh. Your version of okio is over 6 years old (!!)

It's definitely overdue for an upgrade.

[manusa]

As of Kubernetes Client v7.0.0 the dependency is (will) no longer (be) there.

You should be able to verify this in our nightly builds.

See:

• feat:deps: bumped OkHttp from 3.12.12 to 4.12.0 #6441
• [INITIATIVE] Fabric8 Kubernetes Client 7.0.0 #5778
• Move to use okhttp4 due to a bug on IPV6 based cluster #2632
• Upgrade kubernetes-server-mock to okhttp4 mockwebserver to avoid vulnerability warning on old junit transitive dependency #5613