Salvatore Bonaccorso <[email protected]> writes: > CVE-2025-30472[0]: > | Corosync through 3.1.9, if encryption is disabled or the attacker > | knows the encryption key, has a stack-based buffer overflow in > | orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-30472 > https://www.cve.org/CVERecord?id=CVE-2025-30472 > [1] https://github.com/corosync/corosync/issues/778
Dear Salvatore, Considering the linked discussion with Corosync upstream, do you think Debian should release a patched package to bookworm? According to the security tracker, this is a postponed minor issue in bullseye, and I do not see why it would be weighted differently anywhere else. If it is, I am willing to backport the patch and prepare updates packages for bookworm and unstable. Upstream has not released a new version yet. -- Thanks for your guidance, Feri.

