-1
if you are not satisfied with the management of the software, use
another, maybe commercial. Demanding without giving is not the
philosophy of Open Source.
Regards
El 28/03/2025 a las 1:46 a. m., S Sathish S via Users escribió:
Hi Honza/Team,
Whole situation is nicely summarized by Thomas Lamprecht:
Corosync either runs encrypted or in a trusted network, anything else,
i.e. where this is actually a problem, is just gross negligence and
leaks the whole cluster traffic already anyway.
Likelihood of attack: As mentioned above statement , In our
application, Corosync encryption is enabled by default, then
encryption key is secured and it access only superuser in the system.
But somehow if private key "leaks" *it will high impact entire cluster
traffic*.
Requesting official release for below reason:
1) Any open-source project should use official releases rather than
commit-based builds.Commit-based builds may lack thorough testing and
could introduce regressions or incomplete features. In contrast,
official releases undergo rigorous validation, including CI/CD
pipelines, unit tests, and integration tests. They also incorporate
security patches and verified checksums to ensure integrity.
Additionally, official releases provide detailed release notes and
changelogs, simplifying change tracking and version management.
2) Adapting the Corosync security patch independently while retaining
the same version (e.g., 3.1.9) is not considered an official release
by the community. As a result, when the VA scan tool is executed,
vulnerabilities may still be detected in the updated version.
Reference : https://www.tenable.com/cve/CVE-2025-30472
Therefore, it is recommended to adopt the official release for
CVE-2025-30472 security fixes and *provide a timeline for the expected
new version that includes the reported CVE fixes*.
Thanks and Regards,
S Sathish
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home:https://www.clusterlabs.org/
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
