On Mon, May 09, 2022 at 09:23:36PM -0700, tony mancill wrote: > On Fri, May 06, 2022 at 09:46:24AM +0100, Neil Williams wrote: > > Source: google-oauth-client-java > > Version: 1.28.0-2 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Fixed in upstream release 1.33.3 > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-22573 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573 > > > > Please adjust the affected versions in the BTS as needed. > > Upstream version 1.33.3 requires a minor update to the Debian packaging > of google-http-client-java that I am working on now. > > I will upload a package for 1.33.3 in the next day or so.
In order to backport this patch for bullseye, we will need a version of google-http-client-java in bullseye that includes google-http-client-gson.jar (as was added in [1]). I'm not sure how this works if a security update for package requires an update to its build-deps. Based on the limited set of reverse-dependencies of libgoogle-oauth-client-java in bullseye - that is: $ reverse-depends --build --list --release=bullseye libgoogle-oauth-client-java google-api-client-java $ reverse-depends --list --release=bullseye libgoogle-oauth-client-java (nothing) $ reverse-depends --list --release=bullseye libgoogle-api-client-java bazel-bootstrap $ reverse-depends --build --list --release=bullseye libgoogle-api-client-java bazel-bootstrap $ reverse-depends --build --list --release=bullseye bazel-bootstrap (nothing) And the chain seems to end there. As I understand it, getting bazel-bootstrap into bullseye was in preparation for bookworm, but there aren't any packages with build-deps on it bullseye. For that reason, I'm wondering whether we wouldn't be better off updating instead backporting to address this CVE. Related to this, Markus has already created a backport of google-http-client-java [2]. (That is, there are other reasons for a newer versions in bullseye.) Any thoughts? It's a tad messy either way, but using current versions simplifies the porting of patches. Thank you, tony [1] https://tracker.debian.org/news/1323863/accepted-google-http-client-java-1418-2-source-into-unstable/ [2] https://tracker.debian.org/news/1292692/accepted-google-http-client-java-1401-1bpo111-source-all-into-bullseye-backports-bullseye-backports/
signature.asc
Description: PGP signature
