Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #12197
| From | Olek Wojnar <olek@debian.org> |
|---|---|
| Newsgroups | linux.debian.maint.java |
| Subject | Re: Release Critical Security Bug in Bazel Dependency |
| Date | 2021-05-31 22:50 +0200 |
| Message-ID | <CkX1f-7nx-3@gated-at.bofh.it> (permalink) |
| References | <CkwDL-8rs-3@gated-at.bofh.it> <CkLCO-BQ-5@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
Hi Yun, On Mon, May 31, 2021 at 4:17 AM Yun Peng <pcloudy@google.com> wrote: > Thanks, Olek! > > Looks like the bug is fixed in the latest release of google-oauth-client. > Does this mean we just need to upgrade its version in Debian? > > Please let me know if I can help with anything! > Thanks for the offer but it was fairly straightforward. Unfortunately, we typically can't upload new upstream versions when we're in a release freeze. But it was easy enough to backport the upstream fix to version 1.28.0. I think I only had to make one minor tweak to the pom.xml due to some additions for a later version. After that it built perfectly. I also rebuilt the google-api-client-java and bazel-bootstrap packages locally against the new google-oauth-client-java and everything looks good. I've filed an unblock bug with the Release Team to allow the fix to migrate to bullseye. Now we just wait. :) -Olek
Back to linux.debian.maint.java | Previous | Next | Find similar
Re: Release Critical Security Bug in Bazel Dependency Olek Wojnar <olek@debian.org> - 2021-05-31 22:50 +0200
csiph-web