Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
Markus Koschany
apo at debian.org
Sun May 15 23:52:59 BST 2022
Hi tony,
Am Sonntag, dem 15.05.2022 um 11:17 -0700 schrieb tony mancill:
> [...]
> Any thoughts? It's a tad messy either way, but using current versions
> simplifies the porting of patches.
I haven't investigated the CVE closely enough but the current reverse-
dependencies in Bullseye don't seem to be severely affected by it. bazel-
bootstrap and libgoogle-api-client-java are more like leaf packages unless we
take openrefine in bullseye-backports into consideration as well.
We could also mark the CVE as ignored for Bullseye because of the minor impact,
or just upload the new google-http-client-java package to bullseye after
approval by the release team and then update google-oauth-java-client as well.
We just have to check if this breaks the two other packages in Bullseye (bazel-
bootstrap and google-api-client-java).
So yes, a newer upstream version is fine, if it does not break any existing
packages and there is no other way or the alternative would be way too time
consuming and inconvenient.
Cheers,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220516/d39e8530/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list