Copy: debian-java@lists.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --sKr7k6uDwTCRXLuCAbKCQJH4ej0iv50LJ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US

Debian Bazel Team,

It just came to my attention that there is a Release Critical Security
Bug against the google-oauth-client-java package. [1] If not fixed
quickly, this will result in the removal of that package as well as its dependencies (google-api-client-java and bazel-bootstrap). Fixing this
is now my #1 priority. I'll update this list with progress.


-Olek

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944


--sKr7k6uDwTCRXLuCAbKCQJH4ej0iv50LJ--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEELejiDiSiH9jtG0ynfYPUBqCdweQFAmCzvhgFAwAAAAAACgkQfYPUBqCdweT1 VRAArPpVZo4WxkYHvPkgWMMppIZVT+L81u7W5tn5KTgdlR1ACOXdKkk7R2r/jczzQfjQrMUk0hAV XvrNGVNfmpTl2LLFzyfFjgjDxiC0qf3pS9AF6dmOBi+DkWRlXcuEWrqQ6ckbSkXC7jCN5yD+QtHW +XjAajnJQmYGBQserK7ERX0dpcNW+Lg0UaCgP2fWq7iHAJ6cyfhU06dzD3bilkQ/HnhlY4OWmwBA oXKyDPMqPNp23m1TrZksjMt3k8bCR8uwwFh1azipdf+bSlkdAO2Ar2fnXcfLcnOY8Z+RfW0Be0C2 0jSaJ0fF+oJtyVC7bVZy8kOk4aoQLv7YIA6Zu75Nl4dmiKuZcFrqr9vgcckCvDmJHJB6QE/Qv31m jvOoznIuPGLg6zwY+s0Rsozve/dMvb4T5PEM+HPFTCtmhF0lxMIkGDO2HqM9w9dGVDyUqHO0Ifl8 NrSMn+CG0p6B60ftmpAUu1RSU3q3Rj+p4T94Dt1QbwaJgc+SyezsM83de6TKLigkOuJzlHM1UZeL Edl7aU/d+oBQb2wPy1ciWyOPuS6UNjblSgWlQU5AshxbXjiyM9cSfVf6B1FNd+4+E7gburSbIbbc y7oB4VHMtU/tEQKCFR6QoG+e3j2JtbbVOJkJ8SpfPbu6dG0r2vnyELIahifxSN5IUU0LKLnPhZJ+ T5s=
=Ykw4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Thanks, Olek!

Looks like the bug is fixed in the latest release of google-oauth-client.
Does this mean we just need to upgrade its version in Debian?

Please let me know if I can help with anything!

On Sun, May 30, 2021 at 6:32 PM Olek Wojnar <olek@debian.org> wrote:

Debian Bazel Team,

It just came to my attention that there is a Release Critical Security
Bug against the google-oauth-client-java package. [1] If not fixed
quickly, this will result in the removal of that package as well as its dependencies (google-api-client-java and bazel-bootstrap). Fixing this
is now my #1 priority. I'll update this list with progress.

-Olek

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944

<div dir="ltr">Thanks, Olek!<div><br></div><div>Looks like the bug is fixed in the latest release of google-oauth-client. Does this mean we just need to upgrade its version in Debian?</div><div><br></div><div>Please let me know if I can help with
anything!</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, May 30, 2021 at 6:32 PM Olek Wojnar &lt;<a href="mailto:olek@debian.org">olek@debian.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Debian Bazel Team,<br>

It just came to my attention that there is a Release Critical Security<br>
Bug against the google-oauth-client-java package. [1] If not fixed<br>
quickly, this will result in the removal of that package as well as its<br> dependencies (google-api-client-java and bazel-bootstrap). Fixing this<br>
is now my #1 priority. I&#39;ll update this list with progress.<br>


-Olek<br>

[1] <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944" rel="noreferrer" target="_blank">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944</a><br>

</blockquote></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Yun,

On Mon, May 31, 2021 at 4:17 AM Yun Peng <pcloudy@google.com> wrote:

Thanks, Olek!

Looks like the bug is fixed in the latest release of google-oauth-client. Does this mean we just need to upgrade its version in Debian?

Please let me know if I can help with anything!

Thanks for the offer but it was fairly straightforward. Unfortunately, we typically can't upload new upstream versions when we're in a release
freeze. But it was easy enough to backport the upstream fix to version
1.28.0. I think I only had to make one minor tweak to the pom.xml due to
some additions for a later version. After that it built perfectly.

I also rebuilt the google-api-client-java and bazel-bootstrap packages
locally against the new google-oauth-client-java and everything looks good. I've filed an unblock bug with the Release Team to allow the fix to migrate
to bullseye. Now we just wait. :)

-Olek

<div dir="ltr"><div dir="ltr">Hi Yun,</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at 4:17 AM Yun Peng &lt;<a href="mailto:pcloudy@google.com">pcloudy@google.com</a>&gt; wrote:<br></div><blockquote class="gmail_
quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks, Olek!<div><br></div><div>Looks like the bug is fixed in the latest release of google-oauth-client. Does this mean we just need to
upgrade its version in Debian?</div><div><br></div><div>Please let me know if I can help with anything!</div></div></blockquote><div><br></div><div>Thanks for the offer but it was fairly straightforward. Unfortunately, we typically can&#39;t upload new
upstream versions when we&#39;re in a release freeze. But it was easy enough to backport the upstream fix to version 1.28.0. I think I only had to make one minor tweak to the pom.xml due to some additions for a later version. After that it built
perfectly.</div><div><br></div><div>I also rebuilt the google-api-client-java and bazel-bootstrap packages locally against the new google-oauth-client-java and everything looks good. I&#39;ve filed an unblock bug with the Release Team to allow the fix to
migrate to bullseye. Now we just wait. :)</div><div><br></div><div>-Olek</div></div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)