Hi Markus, On Mon, May 16, 2022 at 12:52:59AM +0200, Markus Koschany wrote: > Hi tony, > > Am Sonntag, dem 15.05.2022 um 11:17 -0700 schrieb tony mancill: > > > [...] > > Any thoughts? It's a tad messy either way, but using current versions > > simplifies the porting of patches. > > I haven't investigated the CVE closely enough but the current reverse- > dependencies in Bullseye don't seem to be severely affected by it. bazel- > bootstrap and libgoogle-api-client-java are more like leaf packages unless we > take openrefine in bullseye-backports into consideration as well. > > We could also mark the CVE as ignored for Bullseye because of the minor > impact, > or just upload the new google-http-client-java package to bullseye after > approval by the release team and then update google-oauth-java-client as well. > We just have to check if this breaks the two other packages in Bullseye > (bazel- > bootstrap and google-api-client-java). > > So yes, a newer upstream version is fine, if it does not break any existing > packages and there is no other way or the alternative would be way too time > consuming and inconvenient.
That is a good suggestion to potentially mark the CVE as ignored. Unless there is a specific need for the updates in bullseye, I don't have a reason to push the issue. I wanted to address the CVE in testing/unstable, and didn't want to just disappear and ignore the issue for the other suites. And if there is a compelling need for the updates to land in bullseye, we can revisit. Thanks!
signature.asc
Description: PGP signature
