Debian alert DLA-4263-1 (ruby-graphql)

From:
             
 
Utkarsh Gupta <guptautkarsh2102@gmail.com>
To:
             
 
debian-lts-announce@lists.debian.org
Subject:
             
 
[SECURITY] [DLA 4263-1] ruby-graphql security update
Date:
             
 
Mon, 04 Aug 2025 06:41:54 +0530
Message-ID:
             
 
<CAPP0f97sfRdBveUa6hmtmb5zdwm0TkeVmF0=Hw4+OFahg0jUkg@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4263-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
August 04, 2025                             https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ruby-graphql
Version        : 1.11.12-0+deb11u1
CVE ID         : CVE-2025-27407
Debian Bug     : 1100442

ruby-graphql is GraphQL language and runtime for Ruby. It was
discovered that loading a malicious schema definition in
`GraphQL::Schema.from_introspection` (or
`GraphQL::Schema::Loader.load`) can result in remote code execution.
Any system which loads a schema by JSON from an untrusted source is
vulnerable, including those that use GraphQL::Client to load external
schemas via GraphQL introspection.

For Debian 11 bullseye, this problem has been fixed in version
1.11.12-0+deb11u1.

We recommend that you upgrade your ruby-graphql packages.

For the detailed security status of ruby-graphql please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-graphql

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmiQCKMACgkQgj6WdgbD
S5ZNCw//WuLUX64ojk5NvaoI9+TgBbzwK1eUaou9Zu2/f1Uz4+5bT/PDBQQ2Tsh4
MdyTrjATRmav8LFT73095alVE4T8h3vgLhywL1OZGLo9Mw9epNvFIY4qgrMi8XU3
yvTmVWhetBE0F4SN9K2hnuhTWpCmh9RKzyD8fM+xhrkftSxASV7oKOmYkPHw3m7T
6hI/casQ0ojQ4sIIV+JF2we+LJo5Eou3kqCtRykmXBF0YQs874vsiu4a+v3qf1KE
h7NhO086AvOsuYzvOcVf4M2iidpCOMvLrQM7R4KeXIqgUPJJILtLeqk13GLp6yYq
dnkDlH4GEmywUjnnHNXSd12my9+XzWrEyA7H9GawbfcaG3fzBXiaNtRtF68H/GzH
I1MHR6LewEI/MfEShqEutVy4h68LOZO3xuqvHRxR+9vOKvIBOfc1nT+yIydvha4W
py1FycIdTAicPDUyCau7Q+g9/+DPCwYVrs9jiZgBcKSCu1B0HwVGAMWHZJHlad8s
86eALCg1E9ttGKE9kHqfngdS+rHLst4HLea4GdlOIJzoTXJfP4r6f2tlNqIfQ1IS
qT3tMuC+lyOfjA4J87JZs/Ir0ZI32St348G4SjcxFkut99yoghMGnLUNvVGJS7mF
kJONass23xC+lWeAyhRuqwzqmV1ZiwtDxnYMfpYjX3ne+6M8ja8=
=LcHI
-----END PGP SIGNATURE-----