Path: csiph.com!eternal-september.org!reader02.eternal-september.org!aioe.org!bofh.it!news.nic.it!robomod From: Olek Wojnar Newsgroups: linux.debian.maint.java Subject: Release Critical Security Bug in Bazel Dependency Date: Sun, 30 May 2021 18:40:01 +0200 Message-ID: X-Original-To: Debian Bazel Discussion List X-Mailbox-Line: From debian-java-request@lists.debian.org Sun May 30 16:32:42 2021 Old-Return-Path: X-Amavis-Spam-Status: No, score=-11.5 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate: -5.5 X-Gm-Message-State: AOAM5322BmSQTrGqfDOcoxUaCSzeTsxnpHiBqRR4/MeVwgb/li1RTbPH 7Baa5/jnUIAj1QOInTUtUyhl0+wE3MYHIw== X-Google-SMTP-Source: ABdhPJx3vF7z7FrS8aUzzHLRYYYzEtVNnM0Oh9vooZ/XpatPhbMzZc3/G9kmCFPhPJS2YFeUcYpi7Q== X-Received: by 2002:a37:5c84:: with SMTP id q126mr13120176qkb.21.1622392345715; Sun, 30 May 2021 09:32:25 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SWFPYjxFMQBxob4J2qEBNWYBZ6skTLmZS" X-Mailing-List: archive/latest/22833 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/ec72d35a-6506-ea07-e6b7-28c5b6b73537@debian.org Approved: robomod@news.nic.it Lines: 53 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-java@lists.debian.org X-Original-Date: Sun, 30 May 2021 12:32:24 -0400 X-Original-Message-ID: Xref: csiph.com linux.debian.maint.java:12205 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --SWFPYjxFMQBxob4J2qEBNWYBZ6skTLmZS Content-Type: multipart/mixed; boundary="sKr7k6uDwTCRXLuCAbKCQJH4ej0iv50LJ"; protected-headers="v1" From: Olek Wojnar To: Debian Bazel Discussion List Cc: debian-java@lists.debian.org Message-ID: Subject: Release Critical Security Bug in Bazel Dependency --sKr7k6uDwTCRXLuCAbKCQJH4ej0iv50LJ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Debian Bazel Team, It just came to my attention that there is a Release Critical Security Bug against the google-oauth-client-java package. [1] If not fixed quickly, this will result in the removal of that package as well as its dependencies (google-api-client-java and bazel-bootstrap). Fixing this is now my #1 priority. I'll update this list with progress. -Olek [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D988944 --sKr7k6uDwTCRXLuCAbKCQJH4ej0iv50LJ-- --SWFPYjxFMQBxob4J2qEBNWYBZ6skTLmZS Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEELejiDiSiH9jtG0ynfYPUBqCdweQFAmCzvhgFAwAAAAAACgkQfYPUBqCdweT1 VRAArPpVZo4WxkYHvPkgWMMppIZVT+L81u7W5tn5KTgdlR1ACOXdKkk7R2r/jczzQfjQrMUk0hAV XvrNGVNfmpTl2LLFzyfFjgjDxiC0qf3pS9AF6dmOBi+DkWRlXcuEWrqQ6ckbSkXC7jCN5yD+QtHW +XjAajnJQmYGBQserK7ERX0dpcNW+Lg0UaCgP2fWq7iHAJ6cyfhU06dzD3bilkQ/HnhlY4OWmwBA oXKyDPMqPNp23m1TrZksjMt3k8bCR8uwwFh1azipdf+bSlkdAO2Ar2fnXcfLcnOY8Z+RfW0Be0C2 0jSaJ0fF+oJtyVC7bVZy8kOk4aoQLv7YIA6Zu75Nl4dmiKuZcFrqr9vgcckCvDmJHJB6QE/Qv31m jvOoznIuPGLg6zwY+s0Rsozve/dMvb4T5PEM+HPFTCtmhF0lxMIkGDO2HqM9w9dGVDyUqHO0Ifl8 NrSMn+CG0p6B60ftmpAUu1RSU3q3Rj+p4T94Dt1QbwaJgc+SyezsM83de6TKLigkOuJzlHM1UZeL Edl7aU/d+oBQb2wPy1ciWyOPuS6UNjblSgWlQU5AshxbXjiyM9cSfVf6B1FNd+4+E7gburSbIbbc y7oB4VHMtU/tEQKCFR6QoG+e3j2JtbbVOJkJ8SpfPbu6dG0r2vnyELIahifxSN5IUU0LKLnPhZJ+ T5s= =Ykw4 -----END PGP SIGNATURE----- --SWFPYjxFMQBxob4J2qEBNWYBZ6skTLmZS--