Your message dated Tue, 10 May 2022 14:34:01 +0000 with message-id <e1noqw5-000ayk...@fasolo.debian.org> and subject line Bug#1010657: fixed in google-oauth-client-java 1.33.3-1 has caused the Debian Bug report #1010657, regarding google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1010657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010657 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: google-oauth-client-java Version: 1.28.0-2 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for google-oauth-client-java. CVE-2021-22573[0]: | The vulnerability is that IDToken verifier does not verify if token is | properly signed. Signature verification makes sure that the token's | payload comes from valid provider, not from someone else. An attacker | can provide a compromised token with custom payload. The token will | pass the validation on the client side. We recommend upgrading to | version 1.33.3 or above > The spec requires to validate the signature of ID token for apps that > cannot guarantee TLS communication, which is the case for this library. > This library initiates a local server that can run on any client machine > without TLS support. So, it is critical to validate the signature, > before trusting the claims of an ID token, which can be received from > a malicious service provider. Fixed in upstream release 1.33.3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-22573 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: google-oauth-client-java Source-Version: 1.33.3-1 Done: tony mancill <tmanc...@debian.org> We believe that the bug you reported is fixed in the latest version of google-oauth-client-java, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1010...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated google-oauth-client-java package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 08 May 2022 13:42:32 -0700 Source: google-oauth-client-java Architecture: source Version: 1.33.3-1 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: tony mancill <tmanc...@debian.org> Closes: 1010657 Changes: google-oauth-client-java (1.33.3-1) unstable; urgency=high . * Team upload * New upstream version 1.33.3 Upstream fix for CVE-2021-22573 (Closes: #1010657) * Refresh patches for new upstream version * Remove CVE-2020-7692.patch; applied upstream in version 1.31.0 * Add versioned build-dep on libgoogle-http-client-java package version that includes the google-http-client-gson jar Checksums-Sha1: 082270c2f5b462c9ed24d0835a618ab2a687441a 2268 google-oauth-client-java_1.33.3-1.dsc 2fc04be65c34df2f7f04a7be5d3fb3ab92f891dd 113692 google-oauth-client-java_1.33.3.orig.tar.xz 6c3819ac4db4b4fc4f6a858edd797cfd138e611c 3252 google-oauth-client-java_1.33.3-1.debian.tar.xz 1b330f3b212085d8d9cb2a646e3bcdce28380954 12880 google-oauth-client-java_1.33.3-1_amd64.buildinfo Checksums-Sha256: 9f7873b4d437e25192af0b3cb79405d54ff0aeb656858135f1f83af23343fa15 2268 google-oauth-client-java_1.33.3-1.dsc cf6d01c0211b86f53ad4053b6596d0ddf90cd34233183c4df33f7e1df72891ec 113692 google-oauth-client-java_1.33.3.orig.tar.xz 631a3a4ade895fd69a320b47beacca59b2425ff5b1178fcc6771617b964935cb 3252 google-oauth-client-java_1.33.3-1.debian.tar.xz 053415e194deff0a6a6cf3f91016c2057802f62bb2cd0c86aed5773ef2f327d3 12880 google-oauth-client-java_1.33.3-1_amd64.buildinfo Files: e28368e6eb247a81e330d4a82b98a7fc 2268 java optional google-oauth-client-java_1.33.3-1.dsc d8a899e56ca04fbc98e697b2817a0b09 113692 java optional google-oauth-client-java_1.33.3.orig.tar.xz e0f68989be93b38cfeebc17b0dbf981c 3252 java optional google-oauth-client-java_1.33.3-1.debian.tar.xz 9162a2db251e543bfc5e4e04174a93fd 12880 java optional google-oauth-client-java_1.33.3-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmJ6cL4UHHRtYW5jaWxs QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZmuRAApi2YOaXusiJpXsL1NK7ZVhEsFl3W wxGKkXa1N2wwUhPo23fEq3ilNFagnMlokviSOUqWU9fhWR2Vg7bKxqjqodDesqRh FdfgU5qG1yymz68a1aX18g2PE3aaw6zs45XA2pucQS3dfkA5H2uR9x/TRcOt22/a 0NgtGC69kkowafzDHINCpY0/b3xfT352ym3s2sEANgmSfk87opqO88JIUaYPsMg0 TkdFXuTgADCZxPAkulEeZIwYopZtay41KfJjqOCZ4Y7pg3jkR7NEmcz/2v3XaXnu pmQavlH/HgiEy3N1HrJ8GiqHr6Yo+dn8oOPGyGulfeju8sXzx5V9WUx2WG6rDbNd LTvG1nT1srQgELviAJT84SZnrzP06dofNKHE2zrxCFOqaJp8Ym5d4mlm17XscMpV 4EMMdCU1/GgTCM8B/t0J8m67Umd3yNZlDeFpqMh/U5MAwuoRFFr9MaJrhLy60rup G0vjo8OVEaLVTzdL1vdu7+/2k70o4sPtnyuVxXqShR0BQvE6bgMWtWeq9zs7Xh9C KOgz245LOUnjp2cIKXbCd2snhyynpYAc4FimWD587vAW8LGmGFYXh+kj0p/i/6xK gypjPeWEKD6j6Nf0J1skgC11gxY1xB6vv5pC9mMKdUTVhGV8Wzsgxp569nI8WB4r XmM9vxn1WxNaI/s= =Rb8X -----END PGP SIGNATURE-----
--- End Message ---
