Path: csiph.com!aioe.org!bofh.it!news.nic.it!robomod From: Olek Wojnar Newsgroups: linux.debian.maint.java Subject: Re: Release Critical Security Bug in Bazel Dependency Date: Mon, 31 May 2021 22:50:02 +0200 Message-ID: References:

X-Original-To: Debian Bazel Discussion List X-Mailbox-Line: From debian-java-request@lists.debian.org Mon May 31 20:45:09 2021 Old-Return-Path: X-Amavis-Spam-Status: No, score=-4.5 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=2, LDO_WHITELIST=-5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=no autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AOAM530EO4YEhyom08YTQ6QGFY5p9eNJV+FqJ4V4H0UJk+DWeqrJh55H mlZSN5IJV0GyYvLoGQHxKuAPuR0qxg8= X-Google-SMTP-Source: ABdhPJzBVNsHdb/k5iLbQwZ97KBdBKBC/RZI0+eL50I+daO6/JtvUL8pLsVz2sExWZO3j4Zqko7uJA== X-Received: by 2002:a0c:cdc9:: with SMTP id a9mr12031877qvn.51.1622492864630; Mon, 31 May 2021 13:27:44 -0700 (PDT) X-Received: by 2002:a0c:ef52:: with SMTP id t18mr7896800qvs.49.1622492864146; Mon, 31 May 2021 13:27:44 -0700 (PDT) MIME-Version: 1.0 X-Gmail-Original-Message-ID: Content-Type: multipart/alternative; boundary="000000000000d1732005c3a60ea4" X-Mailing-List: archive/latest/22835 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/CAJj0crTEGEYrxo2n+TpYSyWHXEzpA9oP1-KhMX5Wovq12sH9mg@mail.gmail.com Approved: robomod@news.nic.it Lines: 53 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: Debian Java List X-Original-Date: Mon, 31 May 2021 16:27:08 -0400 X-Original-Message-ID: X-Original-References:

Xref: csiph.com linux.debian.maint.java:12197 --000000000000d1732005c3a60ea4 Content-Type: text/plain; charset="UTF-8" Hi Yun, On Mon, May 31, 2021 at 4:17 AM Yun Peng wrote: > Thanks, Olek! > > Looks like the bug is fixed in the latest release of google-oauth-client. > Does this mean we just need to upgrade its version in Debian? > > Please let me know if I can help with anything! > Thanks for the offer but it was fairly straightforward. Unfortunately, we typically can't upload new upstream versions when we're in a release freeze. But it was easy enough to backport the upstream fix to version 1.28.0. I think I only had to make one minor tweak to the pom.xml due to some additions for a later version. After that it built perfectly. I also rebuilt the google-api-client-java and bazel-bootstrap packages locally against the new google-oauth-client-java and everything looks good. I've filed an unblock bug with the Release Team to allow the fix to migrate to bullseye. Now we just wait. :) -Olek --000000000000d1732005c3a60ea4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi Yun,

On Mon, May 31, 2021 at 4:17 AM Yu= n Peng <pcloudy@google.com>= wrote:

Thanks, Olek!

Looks like the bug is fixed in th= e latest release of google-oauth-client. Does this mean we just need to upg= rade its version in Debian?

Please=C2=A0let me kno= w if I can help with anything!

= Thanks for the offer but it was fairly straightforward. Unfortunately, we t= ypically can't upload new upstream versions when we're in a release= freeze. But it was easy enough to backport the upstream fix to version 1.2= 8.0. I think I only had to make one minor tweak to the pom.xml due to some = additions for a later=C2=A0version. After that it built perfectly.

I also rebuilt the google-api-client-java and bazel-bootst= rap packages locally against the new google-oauth-client-java and everythin= g looks good. I've filed an unblock bug with the Release Team to allow = the fix to migrate to bullseye. Now we just wait. :)

-Olek

--000000000000d1732005c3a60ea4--