[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release Critical Security Bug in Bazel Dependency

I saw the bug has been closed. Great work, Olek!

By the way, I have bumped the version to 4.1.0. Two additional patches are needed: one to remove "bazel_skylib" dependency introduced by a "darwin-arm64" workaround and one to use Debian-provided "rxjava". The later one can be sent to upstream, and the first one is going to stay until we got the "bazel_skylib" ready.

Please review the changes when you have time. I am still working on the d/copyright stuff you mentioned, but I am not able to commit much time near the end of quarter. Hopefully someone else can help me with that.

Yun, can you take a look at the "rxjava" patch? I can open a PR if it is good.

FYI: As I haven't updated the "pristine-tar" and "upstream" branches of our main repo yet (I'd like to leave them to Olek), the CI would always fail with "uscan error: unzip binary not found". Plus, it seems that Salsa no longer runs CI on personal repos.



On 5/31/2021 8:17 AM, Yun Peng wrote:
Thanks, Olek!

Looks like the bug is fixed in the latest release of google-oauth-client. Does this mean we just need to upgrade its version in Debian?

Please let me know if I can help with anything!

On Sun, May 30, 2021 at 6:32 PM Olek Wojnar <olek@debian.org <mailto:olek@debian.org>> wrote:

    Debian Bazel Team,

    It just came to my attention that there is a Release Critical Security
    Bug against the google-oauth-client-java package. [1] If not fixed
    quickly, this will result in the removal of that package as well
    as its
    dependencies (google-api-client-java and bazel-bootstrap). Fixing this
    is now my #1 priority. I'll update this list with progress.


    [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944

Attachment: OpenPGP_0xA102C2F15053B4F7.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to: