Your message dated Sun, 06 Apr 2025 22:52:24 +0000
with message-id <e1u1yqm-00fnrw...@fasolo.debian.org>
and subject line Bug#1100442: fixed in ruby-graphql 2.2.17-1
has caused the Debian Bug report #1100442,
regarding ruby-graphql: CVE-2025-27407
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1100442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100442
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: ruby-graphql
Version: 2.2.5-3
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for ruby-graphql.
CVE-2025-27407[0]:
| graphql-ruby is a Ruby implementation of GraphQL. Starting in
| version 1.11.5 and prior to versions 1.11.8, 1.12.25, 1.13.24,
| 2.0.32, 2.1.14, 2.2.17, and 2.3.21, loading a malicious schema
| definition in `GraphQL::Schema.from_introspection` (or
| `GraphQL::Schema::Loader.load`) can result in remote code execution.
| Any system which loads a schema by JSON from an untrusted source is
| vulnerable, including those that use GraphQL::Client to load
| external schemas via GraphQL introspection. Versions 1.11.8,
| 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21 contain a patch
| for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27407
https://www.cve.org/CVERecord?id=CVE-2025-27407
[1]
https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ruby-graphql
Source-Version: 2.2.17-1
Done: Samuel Henrique <samuel...@debian.org>
We believe that the bug you reported is fixed in the latest version of
ruby-graphql, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1100...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Henrique <samuel...@debian.org> (supplier of updated ruby-graphql
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Apr 2025 23:27:31 +0100
Source: ruby-graphql
Architecture: source
Version: 2.2.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Samuel Henrique <samuel...@debian.org>
Closes: 1100442
Changes:
ruby-graphql (2.2.17-1) unstable; urgency=medium
.
* Team upload
* New upstream version 2.2.17
- Fix CVE-2025-27407 (closes: #1100442)
Checksums-Sha1:
5ec26016096c885e884003e445bb597856b78667 2022 ruby-graphql_2.2.17-1.dsc
cfd71b5c76dc174ec8a9638c96bd1a5a05c934d1 2574336
ruby-graphql_2.2.17.orig.tar.gz
1ff85c209e8daed0262fbb317e6fd046d55ed218 4012
ruby-graphql_2.2.17-1.debian.tar.xz
3ffab956f77c059c3a713f82713f917038012902 8286
ruby-graphql_2.2.17-1_amd64.buildinfo
Checksums-Sha256:
6600f83fdc028632656177bcb1e6d0c7ffa1e5bb50a8d30e802e5056552cc29e 2022
ruby-graphql_2.2.17-1.dsc
c213010d1d0efbc920ddce9e47ca711a19ffd81d6a19d907dca667902a8e43ab 2574336
ruby-graphql_2.2.17.orig.tar.gz
3d929c17d35aec21135dfe4d0c8c8a438ea72a00bb73deae072b814f2126cb56 4012
ruby-graphql_2.2.17-1.debian.tar.xz
c89bd484153f39d154da1b633547843903bf0198e144a34b3436a9010da74a3a 8286
ruby-graphql_2.2.17-1_amd64.buildinfo
Files:
2c9837effcc9b074cc2fc70322196f95 2022 ruby optional ruby-graphql_2.2.17-1.dsc
f9bc9ce0f9b1af1d52721fa991d74a43 2574336 ruby optional
ruby-graphql_2.2.17.orig.tar.gz
3e32648eb74a91999786621331672f05 4012 ruby optional
ruby-graphql_2.2.17-1.debian.tar.xz
8fdede025c0c2701bc2507a0661377c8 8286 ruby optional
ruby-graphql_2.2.17-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmfzANcACgkQu6n6rcz7
RweAGxAAuECkxc0r3chuvHUIzEKBDSgVy05ZNJd7G+KIu4WTKhS1Ip3uibjRlOUk
IqQEGIuY0a2CyOlLD2lPQnLmPcUXTimJAPtmTH7Pq05+y0XXLoLgnWOhK7ISPkcI
AGYnkHDVVjyGI1bU9jJnlML7NKf6xwPX3v2+uhbiKM2AsOclTua9NybWyyiNKnCx
GkbGriPP/9BHy76HjHit+zE0g8weVcHgH1s0tEM4VAmW1+6IO73G6kT9++gohpds
ZtLr/XoOvVdD093JQB90y2RhvgPbW9CCS4sOQjp94V2yyiiJRbkHI/17bqLtxESd
Pk9cAWHqC+18Y1xp+LzyojJgb3W4U7OfylQWZELBQ4IlYyXv5KHzZpzSM4MRtLSw
Ft6QW1sUhEXspN7c6BZiUbSrk8XaCr+c4MtIFqEaMuYirgTLbtDuS5qybxrTQLfY
UYgsKwWeh/KASLNWAOnIYF33xxBMsVN+DgmTiRmTQgFLvbSz+c+/nd/yG9PLlpEB
xF+V1unsrs2E36Ws1l8YOToG42X2QZvujaF6ARoWDc3nmgnLzjuP/PwX2TUOXSin
Qiz144JVibjMMgzgFtR9kAlo/kUOVTNhdhURXyXGF3ZbsNv+CKZtUx8nT6z0uEdI
qssRcY5nF+YVVuio4iCa1jjkYbN1sxJshg/jKcbXFvi6IdarLSo=
=ux0N
-----END PGP SIGNATURE-----
pgpdGclQlR_ou.pgp
Description: PGP signature
--- End Message ---
