Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
tony mancill
tmancill at debian.org
Tue May 10 05:23:36 BST 2022
On Fri, May 06, 2022 at 09:46:24AM +0100, Neil Williams wrote:
> Source: google-oauth-client-java
> Version: 1.28.0-2
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> The following vulnerability was published for google-oauth-client-java.
>
> CVE-2021-22573[0]:
>
> (SNIP)
>
> Fixed in upstream release 1.33.3
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-22573
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573
>
> Please adjust the affected versions in the BTS as needed.
Upstream version 1.33.3 requires a minor update to the Debian packaging
of google-http-client-java that I am working on now.
I will upload a package for 1.33.3 in the next day or so.
Cheers,
tony
More information about the pkg-java-maintainers
mailing list