[Git][security-tracker-team/security-tracker][master] ruby-saml: Add notes regarding the relationship between CVE-2025-54572 and CVE-2025-25293

Mon, 25 Aug 2025 07:07:17 -0700 


Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ab57253a by Adrian Bunk at 2025-08-25T16:53:43+03:00
ruby-saml: Add notes regarding the relationship between CVE-2025-54572 and 
CVE-2025-25293

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7149,6 +7149,8 @@ CVE-2025-54572 (The Ruby SAML library is for implementing 
the client side of a S
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966
        NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/770
        NOTE: Fixed by: 
https://github.com/SAML-Toolkits/ruby-saml/commit/fd2f532862b6453069d69d07a541e668609c2bbc
+       NOTE: This is a continuation/fix of CVE-2025-25293 that added the 
max_bytesize check too late:
+       NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/commit/533c84ebfc40f8cbac645b6c76ce4949f95d27d6
 (v1.12.0)
 CVE-2025-54433 (Bugsink is a self-hosted error tracking service. In versions 
1.4.2 and ...)
        NOT-FOR-US: Bugsink
 CVE-2025-54430 (dedupe is a python library that uses machine learning to 
perform fuzzy ...)
@@ -51625,6 +51627,7 @@ CVE-2025-25293 (ruby-saml provides security assertion 
markup language (SAML) sin
        NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/601 
(v1.13.0..v1.18.0)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/commit/c21d6935b43a032701d99e398cbfc551e80bfb72
 (v1.13.0)
        NOTE: 
https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a
 (v1.18.0)
+       NOTE: The MAX_BYTE_SIZE check is too late, leaving CVE-2025-54572 
unfixed.
 CVE-2025-25292 (ruby-saml provides security assertion markup language (SAML) 
single si ...)
        {DLA-4115-1}
        - ruby-saml <removed> (bug #1100441)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab57253a2b315265abd29a35c278f8d898c36bf7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab57253a2b315265abd29a35c278f8d898c36bf7
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to