Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear Release Team, Please unblock package google-oauth-client-java [ Reason ] Backport of fix for RC security issue (CVE-2020-7692) https://security-tracker.debian.org/tracker/CVE-2020-7692 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944 [ Impact ] Security issue in bullseye or the removal of the entire Bazel build system. [ Tests ] The bazel-bootstrap package has a comprehensive test suite that uses the code in this package and therefore indirectly tests it. Also, please see next section. [ Risks ] Two packages build-depend on this package (google-api-client-java and bazel-bootstrap). I have built and tested both of them locally against the new version of this package and they both build and test correctly. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] This upload includes a VCS commit from tony mancill which corrects a previously-undeclared build dependency from his 1.28.0-1 packaging. It is a trivial QC change and, as you can see in the debdiff, over 99% of this upload is a backport of the upstream fix for this security vulnerability. Also, this is my first security bug so please let me know if I'm missing anything in the process! Thanks! -Olek
google-oauth-client-java.debdiff
Description: Binary data
OpenPGP_signature
Description: OpenPGP digital signature
