[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release Critical Security Bug in Bazel Dependency

Hi Yun,

On Mon, May 31, 2021 at 4:17 AM Yun Peng <pcloudy@google.com> wrote:
Thanks, Olek!

Looks like the bug is fixed in the latest release of google-oauth-client. Does this mean we just need to upgrade its version in Debian?

Please let me know if I can help with anything!

Thanks for the offer but it was fairly straightforward. Unfortunately, we typically can't upload new upstream versions when we're in a release freeze. But it was easy enough to backport the upstream fix to version 1.28.0. I think I only had to make one minor tweak to the pom.xml due to some additions for a later version. After that it built perfectly.

I also rebuilt the google-api-client-java and bazel-bootstrap packages locally against the new google-oauth-client-java and everything looks good. I've filed an unblock bug with the Release Team to allow the fix to migrate to bullseye. Now we just wait. :)


Reply to: