Your message dated Sat, 21 Jun 2025 10:20:44 +0000
with message-id <[email protected]>
and subject line Bug#1102006: fixed in corosync 3.1.9-2
has caused the Debian Bug report #1102006,
regarding corosync: CVE-2025-30472
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102006: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102006
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: corosync
Version: 3.1.9-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/corosync/corosync/issues/778
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for corosync.
CVE-2025-30472[0]:
| Corosync through 3.1.9, if encryption is disabled or the attacker
| knows the encryption key, has a stack-based buffer overflow in
| orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-30472
https://www.cve.org/CVERecord?id=CVE-2025-30472
[1] https://github.com/corosync/corosync/issues/778
[2] https://github.com/corosync/corosync/pull/779
[3]
https://github.com/corosync/corosync/commit/7839990f9cdf34e55435ed90109e82709032466a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: corosync
Source-Version: 3.1.9-2
Done: Ferenc Wágner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
corosync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated corosync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 21 Jun 2025 11:54:36 +0200
Source: corosync
Architecture: source
Version: 3.1.9-2
Distribution: unstable
Urgency: medium
Maintainer: Debian HA Maintainers
<[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Closes: 1102006
Changes:
corosync (3.1.9-2) unstable; urgency=medium
.
* [d29071e] New patch: totemsrp: Check size of orf_token msg.
Cherry-picked security fix for CVE-2025-30472, upstream commit
7839990f9cdf34e55435ed90109e82709032466a.
Corosync through 3.1.9, if encryption is disabled or the attacker knows
the encryption key, has a stack-based buffer overflow in
orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
Thanks to Jan Friesse (Closes: #1102006)
Checksums-Sha1:
eb737822d497157e30ce3a2c3c52d017e16fb560 3495 corosync_3.1.9-2.dsc
c48d792880e0a458e35790b80c5790952133bbc7 28364 corosync_3.1.9-2.debian.tar.xz
9dc5ca13a7ee127d32f010ba6fe9317530948593 17016 corosync_3.1.9-2_amd64.buildinfo
Checksums-Sha256:
1c51c08432b5d9627a859a94a54cf249b61de4efccd9f667e25a2f15d1f34fbf 3495
corosync_3.1.9-2.dsc
213f3ae942851b1c0685cefc1dd222bd0f5001e1b6eb7b246a472148a755b65f 28364
corosync_3.1.9-2.debian.tar.xz
12c37d07517be73fb708484ccf4fa3b6a06766e66cfb7ac14720e41d6d618d25 17016
corosync_3.1.9-2_amd64.buildinfo
Files:
559c407bcff892f4e628836b72d1dbd3 3495 admin optional corosync_3.1.9-2.dsc
ed24f6d264f3d9d38ec5f4f14fa426dd 28364 admin optional
corosync_3.1.9-2.debian.tar.xz
796d9693749766825fb00566ff501186 17016 admin optional
corosync_3.1.9-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmhWgeEACgkQOsj3Fkd+
2yP+MxAAkEzAyTMW/Vyi29++vG9s4zidWwqWa9/QQOrcSg/A/Ccyj+v6Edkotmdh
jjCBOmBUNc7UrWNRyys0WacTMUS19auV/ypHbARUzWs+yiq4LJghxmetby3pQRh8
bAMH7fmPaGxwBen901gPMeOkzu3lkclnqUuBzuRb1Dxm/JRr4ygjXVBb6eztMGQ0
K2tOEoJKqt5DRQ3CQsoGv42GnDtDt6Xm3NyFXNUTWD2s9l3n0pxIX3BSx6hreqHC
oHb8bgD6mQ2gs1FUkgd7fO8Oem7koURnszYhZ3AJ0virsC0K6lZa3KLiNoiG0vID
3zrBHqfcaGf4yqwXJJMq/iAoMw7QokktzbprLPVC8+e8zDsqkaq48kp5Yoo0EFwO
wK/OifD9WBgTLhYMdH8MpA/G6GrsxXaBYEHpw/6h23Z6OXGzqzCgm9RDOqWrclU3
7b3VbHWJ6hnBYkcQJdrImTm4XTf9CQhUkGUtlcOlNmoN0NMmO/3UFIRAzrGTW0LH
TujPFHIsbflPJywXZGGSFZgSvuV2mtYuORUydyV4F8w/aRBfS2nyUOT2AvQtKZC2
09tPdj/JC3UTxaWzuBuuPLKjvj5xoN6FpC/8J0+qc9Fb1dGuEqLUZjAc8CpCAofD
OdxrTjVH0IQUMBPBNO968Qh59xx6E2lwZoqnwY52M9weqFIUzOM=
=C4Vl
-----END PGP SIGNATURE-----
pgpgNAlzsPQAd.pgp
Description: PGP signature
--- End Message ---
