On Fri, Nov 28, 2025 at 11:45:34AM +0100, Jiri Denemark wrote:
On Fri, Nov 28, 2025 at 11:05:25 +0100, Martin Kletzander wrote:From: Martin Kletzander <[email protected]>Signed-off-by: Martin Kletzander <[email protected]> --- NEWS.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/NEWS.rst b/NEWS.rst index c742954091df..8cc6e698ca25 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -13,6 +13,22 @@ v11.10.0 (unreleased) * **Security** + * CVE-2025-12748: Denial of service by some ACL-limited accounts + + Parsing of user provided XMLs in APIs which needed the identification + information from those XML definitions was done in full before ACL checks + were performed. Some valid, but useless, definitions could cause allocation + of too much memory, leading to denial of service. APIs which do equate to + full root access (such as ``domain:write``), and were parsing XML + definitions in full before performing ACL checks could, potentially, be + exploited in a way that would allow users (which were about to be denied the + API call) to cause aforementioned overallocation even before the ACL checks + were performed. + + A change was made so that parsing before ACL checks are done only for the + identification parts of the XML definition (which is needed to perform the + checks) and full parsing is done only after checking all ACLs. + * **Removed features** * **New features**Reviewed-by: Jiri Denemark <[email protected]>
Ah, I forgot to add your R-b before pushing. Sorry for that, I hope you don't miss many internet points due to my error. Have a nice weekend.
signature.asc
Description: PGP signature
