[Git][security-tracker-team/security-tracker][master] ruby-saml: Add notes regarding the relationship between CVE-2025-54572 and CVE-2025-25293

Adrian Bunk (@bunk) bunk at debian.org
Mon Aug 25 15:07:03 BST 2025 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ab57253a by Adrian Bunk at 2025-08-25T16:53:43+03:00
ruby-saml: Add notes regarding the relationship between CVE-2025-54572 and CVE-2025-25293

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7149,6 +7149,8 @@ CVE-2025-54572 (The Ruby SAML library is for implementing the client side of a S
 	NOTE: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-rrqh-93c8-j966
 	NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/770
 	NOTE: Fixed by: https://github.com/SAML-Toolkits/ruby-saml/commit/fd2f532862b6453069d69d07a541e668609c2bbc
+	NOTE: This is a continuation/fix of CVE-2025-25293 that added the max_bytesize check too late:
+	NOTE: https://github.com/SAML-Toolkits/ruby-saml/commit/533c84ebfc40f8cbac645b6c76ce4949f95d27d6 (v1.12.0)
 CVE-2025-54433 (Bugsink is a self-hosted error tracking service. In versions 1.4.2 and ...)
 	NOT-FOR-US: Bugsink
 CVE-2025-54430 (dedupe is a python library that uses machine learning to perform fuzzy ...)
@@ -51625,6 +51627,7 @@ CVE-2025-25293 (ruby-saml provides security assertion markup language (SAML) sin
 	NOTE: https://github.com/SAML-Toolkits/ruby-saml/pull/601 (v1.13.0..v1.18.0)
 	NOTE: https://github.com/SAML-Toolkits/ruby-saml/commit/c21d6935b43a032701d99e398cbfc551e80bfb72 (v1.13.0)
 	NOTE: https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a (v1.18.0)
+	NOTE: The MAX_BYTE_SIZE check is too late, leaving CVE-2025-54572 unfixed.
 CVE-2025-25292 (ruby-saml provides security assertion markup language (SAML) single si ...)
 	{DLA-4115-1}
 	- ruby-saml <removed> (bug #1100441)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab57253a2b315265abd29a35c278f8d898c36bf7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab57253a2b315265abd29a35c278f8d898c36bf7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250825/fe832a82/attachment.htm>

More information about the debian-security-tracker-commits mailing list