[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 4263-1] ruby-graphql security update

On Mon, Aug 04, 2025 at 06:41:54AM +0530, Utkarsh Gupta wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> - -----------------------------------------------------------------------
> Debian LTS Advisory DLA-4263-1              debian-lts@lists.debian.org
> https://www.debian.org/lts/security/                      Utkarsh Gupta
> August 04, 2025                             https://wiki.debian.org/LTS
> - -----------------------------------------------------------------------
> 
> Package        : ruby-graphql
> Version        : 1.11.12-0+deb11u1
> CVE ID         : CVE-2025-27407
> Debian Bug     : 1100442
> 
> ruby-graphql is GraphQL language and runtime for Ruby. It was
> discovered that loading a malicious schema definition in
> `GraphQL::Schema.from_introspection` (or
> `GraphQL::Schema::Loader.load`) can result in remote code execution.
> Any system which loads a schema by JSON from an untrusted source is
> vulnerable, including those that use GraphQL::Client to load external
> schemas via GraphQL introspection.
> 
> For Debian 11 bullseye, this problem has been fixed in version
> 1.11.12-0+deb11u1.
>...

I have two questions regarding this DLA:


1. Why was an upgrade to a new upstream version done?

It is documented that upgrading to new upstream point releases should be 
discussed first, and backporting the fix might be better than an upgrade 
to a new upstream version containing many new features.


2. How has it been tested that the CVE was present and is now fixed?

The information linked from the tracker claims that the version in 
bullseye was not affected.


cu
Adrian
Reply to: