Path: csiph.com!eternal-september.org!reader02.eternal-september.org!aioe.org!bofh.it!news.nic.it!robomod From: Yun Peng Newsgroups: linux.debian.maint.java Subject: Re: Release Critical Security Bug in Bazel Dependency Date: Mon, 31 May 2021 10:40:02 +0200 Message-ID: References: X-Mailbox-Line: From debian-java-request@lists.debian.org Mon May 31 08:33:09 2021 Old-Return-Path: X-Amavis-Spam-Status: No, score=-12.701 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no X-Policyd-Weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .google. - helo: .mail-lf1-x135.google. - helo-domain: .google.) FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -5.5 X-Gm-Message-State: AOAM531frfoDOMADg9FOcSx1JhskqaI/hZSXev7oskW4I2F6Np2qBCpR D23vGKqcBsY0VlVc6oEzGqSJLrjDx5QfJQr03Z82BA== X-Google-SMTP-Source: ABdhPJytbFta8ZxWED3xc5RgG/PpU4MBKpA4numQF8k7wXEMvpsqzaTbn0oHZJGw7PMJQxp+rEcIUu3h8bzWptsxt1w= X-Received: by 2002:a05:6512:3d91:: with SMTP id k17mr13260731lfv.282.1622449061848; Mon, 31 May 2021 01:17:41 -0700 (PDT) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="000000000000ffd8fa05c39bdbc5" X-Mailing-List: archive/latest/22834 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/CAOZBPs62t4g_WvCUW-F32apO5qyKbykTBE+CztOOkMxGFa3Veg@mail.gmail.com Approved: robomod@news.nic.it Lines: 57 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: Debian Bazel Discussion List , debian-java@lists.debian.org X-Original-Date: Mon, 31 May 2021 10:17:30 +0200 X-Original-Message-ID: X-Original-References: Xref: csiph.com linux.debian.maint.java:12206 --000000000000ffd8fa05c39bdbc5 Content-Type: text/plain; charset="UTF-8" Thanks, Olek! Looks like the bug is fixed in the latest release of google-oauth-client. Does this mean we just need to upgrade its version in Debian? Please let me know if I can help with anything! On Sun, May 30, 2021 at 6:32 PM Olek Wojnar wrote: > Debian Bazel Team, > > It just came to my attention that there is a Release Critical Security > Bug against the google-oauth-client-java package. [1] If not fixed > quickly, this will result in the removal of that package as well as its > dependencies (google-api-client-java and bazel-bootstrap). Fixing this > is now my #1 priority. I'll update this list with progress. > > > -Olek > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944 > > --000000000000ffd8fa05c39bdbc5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Thanks, Olek!

Looks like the bug is fix= ed in the latest release of google-oauth-client. Does this mean we just nee= d to upgrade its version in Debian?

Please=C2=A0le= t me know if I can help with anything!

On Sun, May 30, 2021 at 6:32 PM= Olek Wojnar <olek@debian.org>= wrote:

Debian B= azel Team,

It just came to my attention that there is a Release Critical Security
Bug against the google-oauth-client-java package. [1] If not fixed
quickly, this will result in the removal of that package as well as its
dependencies (google-api-client-java and bazel-bootstrap). Fixing this
is now my #1 priority. I'll update this list with progress.

-Olek

[1] https://bugs.debian.org/cgi-bin/bugrep= ort.cgi?bug=3D988944

--000000000000ffd8fa05c39bdbc5--