Hello Utkarsh, El 04/08/25 a las 05:00, Adrian Bunk escribió: > On Mon, Aug 04, 2025 at 06:41:54AM +0530, Utkarsh Gupta wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > - ----------------------------------------------------------------------- > > Debian LTS Advisory DLA-4263-1 debian-lts@lists.debian.org > > https://www.debian.org/lts/security/ Utkarsh Gupta > > August 04, 2025 https://wiki.debian.org/LTS > > - ----------------------------------------------------------------------- > > > > Package : ruby-graphql > > Version : 1.11.12-0+deb11u1 > > CVE ID : CVE-2025-27407 > > Debian Bug : 1100442 > > > > ruby-graphql is GraphQL language and runtime for Ruby. It was > > discovered that loading a malicious schema definition in > > `GraphQL::Schema.from_introspection` (or > > `GraphQL::Schema::Loader.load`) can result in remote code execution. > > Any system which loads a schema by JSON from an untrusted source is > > vulnerable, including those that use GraphQL::Client to load external > > schemas via GraphQL introspection. > > > > For Debian 11 bullseye, this problem has been fixed in version > > 1.11.12-0+deb11u1. > >... > > I have two questions regarding this DLA: > > > 1. Why was an upgrade to a new upstream version done? > > It is documented that upgrading to new upstream point releases should be > discussed first, and backporting the fix might be better than an upgrade > to a new upstream version containing many new features. > > > 2. How has it been tested that the CVE was present and is now fixed? > > The information linked from the tracker claims that the version in > bullseye was not affected. I would add here: do you have plans to help fixing this in bookworm? The security team has triaged this as <no-dsa> (Can be fixed via point release). So, to solve the regression update(*), a point release is currently needed. (*) If 1.11.4 was actually affected. Best, -- Santiago
Attachment:
signature.asc
Description: PGP signature