Hi,
On 27/03/2025 14:40, S Sathish S via Users wrote:
Hi Team,
In our application we are using below corosync version where CVE-2025-30472 are
impacted and same reported in our VA tool scan, Look like subjected CVE is
mitigated with below commit message . if yes please release newer version of
corosync to integrate in our system.
As written in comments for GH issue, the problem appears only when
corosync runs unencrypted or if private key "leaks".
Whole situation is nicely summarized by Thomas Lamprecht:
Corosync either runs encrypted or in a trusted network, anything else,
i.e. where this is actually a problem, is just gross negligence and
leaks the whole cluster traffic already anyway.
Honestly I don't see any reason to release new upstream version right
now. You can always patch corosync yourself, use kronosnet ci generated
builds (we have them for reason) or (if using distribution version) ask
distribution package maintainer for patched package.
Honza
https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677
Thanks and Regards,
S Sathish S
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
