[SECURITY] [DLA 4263-1] ruby-graphql security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4263-1] ruby-graphql security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Mon, 4 Aug 2025 06:41:54 +0530
Message-id: <[🔎] CAPP0f97sfRdBveUa6hmtmb5zdwm0TkeVmF0=Hw4+OFahg0jUkg@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4263-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
August 04, 2025                             https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ruby-graphql
Version        : 1.11.12-0+deb11u1
CVE ID         : CVE-2025-27407
Debian Bug     : 1100442

ruby-graphql is GraphQL language and runtime for Ruby. It was
discovered that loading a malicious schema definition in
`GraphQL::Schema.from_introspection` (or
`GraphQL::Schema::Loader.load`) can result in remote code execution.
Any system which loads a schema by JSON from an untrusted source is
vulnerable, including those that use GraphQL::Client to load external
schemas via GraphQL introspection.

For Debian 11 bullseye, this problem has been fixed in version
1.11.12-0+deb11u1.

We recommend that you upgrade your ruby-graphql packages.

For the detailed security status of ruby-graphql please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-graphql

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmiQCKMACgkQgj6WdgbD
S5ZNCw//WuLUX64ojk5NvaoI9+TgBbzwK1eUaou9Zu2/f1Uz4+5bT/PDBQQ2Tsh4
MdyTrjATRmav8LFT73095alVE4T8h3vgLhywL1OZGLo9Mw9epNvFIY4qgrMi8XU3
yvTmVWhetBE0F4SN9K2hnuhTWpCmh9RKzyD8fM+xhrkftSxASV7oKOmYkPHw3m7T
6hI/casQ0ojQ4sIIV+JF2we+LJo5Eou3kqCtRykmXBF0YQs874vsiu4a+v3qf1KE
h7NhO086AvOsuYzvOcVf4M2iidpCOMvLrQM7R4KeXIqgUPJJILtLeqk13GLp6yYq
dnkDlH4GEmywUjnnHNXSd12my9+XzWrEyA7H9GawbfcaG3fzBXiaNtRtF68H/GzH
I1MHR6LewEI/MfEShqEutVy4h68LOZO3xuqvHRxR+9vOKvIBOfc1nT+yIydvha4W
py1FycIdTAicPDUyCau7Q+g9/+DPCwYVrs9jiZgBcKSCu1B0HwVGAMWHZJHlad8s
86eALCg1E9ttGKE9kHqfngdS+rHLst4HLea4GdlOIJzoTXJfP4r6f2tlNqIfQ1IS
qT3tMuC+lyOfjA4J87JZs/Ir0ZI32St348G4SjcxFkut99yoghMGnLUNvVGJS7mF
kJONass23xC+lWeAyhRuqwzqmV1ZiwtDxnYMfpYjX3ne+6M8ja8=
=LcHI
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4260-1] sope security update
Next by Date: [SECURITY] [DLA 4264-1] exempi security update
Previous by thread: [SECURITY] [DLA 4260-1] sope security update
Next by thread: [SECURITY] [DLA 4264-1] exempi security update
Index(es):
- Date
- Thread