Bug#1010657: google-oauth-client-java: CVE-2021-22573 - IdTokenVerifier does not verify the signature of ID Token
tony mancill
tmancill at debian.org
Mon May 16 15:12:59 BST 2022
Hi Markus,
On Mon, May 16, 2022 at 12:52:59AM +0200, Markus Koschany wrote:
> Hi tony,
>
> Am Sonntag, dem 15.05.2022 um 11:17 -0700 schrieb tony mancill:
>
> > [...]
> > Any thoughts? It's a tad messy either way, but using current versions
> > simplifies the porting of patches.
>
> I haven't investigated the CVE closely enough but the current reverse-
> dependencies in Bullseye don't seem to be severely affected by it. bazel-
> bootstrap and libgoogle-api-client-java are more like leaf packages unless we
> take openrefine in bullseye-backports into consideration as well.
>
> We could also mark the CVE as ignored for Bullseye because of the minor impact,
> or just upload the new google-http-client-java package to bullseye after
> approval by the release team and then update google-oauth-java-client as well.
> We just have to check if this breaks the two other packages in Bullseye (bazel-
> bootstrap and google-api-client-java).
>
> So yes, a newer upstream version is fine, if it does not break any existing
> packages and there is no other way or the alternative would be way too time
> consuming and inconvenient.
That is a good suggestion to potentially mark the CVE as ignored.
Unless there is a specific need for the updates in bullseye, I don't
have a reason to push the issue. I wanted to address the CVE in
testing/unstable, and didn't want to just disappear and ignore the issue
for the other suites.
And if there is a compelling need for the updates to land in bullseye,
we can revisit.
Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20220516/fbade140/attachment.sig>
More information about the pkg-java-maintainers
mailing list