On 28/03/2025 07:46, S Sathish S wrote:
Hi Honza/Team,
Whole situation is nicely summarized by Thomas Lamprecht:
Corosync either runs encrypted or in a trusted network, anything else, i.e.
where this is actually a problem, is just gross negligence and leaks the whole
cluster traffic already anyway.
Likelihood of attack: As mentioned above statement , In our application, Corosync
encryption is enabled by default, then encryption key is secured and it access only
superuser in the system. But somehow if private key "leaks" it will high impact
entire cluster traffic.
True. If private key "leaks" it will high impact whole cluster.
Please realize this is general truth. Fixing the bug you've mentioned
doesn't help any single bit in case of "leaked" private key.
Requesting official release for below reason:
1) Any open-source project should use official releases rather than
commit-based builds.Commit-based builds may lack thorough testing and could
introduce regressions or incomplete features. In contrast, official releases
undergo rigorous validation, including CI/CD pipelines, unit tests, and
integration tests. They also incorporate security patches and verified
checksums to ensure integrity. Additionally, official releases provide detailed
release notes and changelogs, simplifying change tracking and version
management.
Honestly, this looks like AI generated content. One of solutions which
I've recommended was to use Knet CI generated builds which undergoes
same validation for every single PR/merged commit.
2) Adapting the Corosync security patch independently while retaining the same
version (e.g., 3.1.9) is not considered an official release by the community.
As a result, when the VA scan tool is executed, vulnerabilities may still be
detected in the updated version.
Ok, so you are saying RHEL/Debian/... packages which has same version
and only increase Release part of full package version are not
considered official release? And there is really serious vulnerability
scan tool which checks only version part? If so, please consider move to
something more serious.
Reference : https://www.tenable.com/cve/CVE-2025-30472
Therefore, it is recommended to adopt the official release for CVE-2025-30472
security fixes and provide a timeline for the expected new version that
includes the reported CVE fixes.
I'm expecting to cut release later this year if nothing urgent appears.
Also because I really want to play with the mentioned bug reproduced for
a while to check if there is more similar bugs or not, so when new
release is cut I can say "with some level of confidence I can say
parsing of network data should be safe".
Thanks and Regards,
S Sathish
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
