[ClusterLabs] CVE-2025-30472 mitigation need to provided newer version to adapt in our application
Jan Friesse
jfriesse at redhat.com
Thu Mar 27 16:25:21 UTC 2025
Hi,
On 27/03/2025 14:40, S Sathish S via Users wrote:
> Hi Team,
>
> In our application we are using below corosync version where CVE-2025-30472 are impacted and same reported in our VA tool scan, Look like subjected CVE is mitigated with below commit message . if yes please release newer version of corosync to integrate in our system.
As written in comments for GH issue, the problem appears only when
corosync runs unencrypted or if private key "leaks".
Whole situation is nicely summarized by Thomas Lamprecht:
Corosync either runs encrypted or in a trusted network, anything else,
i.e. where this is actually a problem, is just gross negligence and
leaks the whole cluster traffic already anyway.
Honestly I don't see any reason to release new upstream version right
now. You can always patch corosync yourself, use kronosnet ci generated
builds (we have them for reason) or (if using distribution version) ask
distribution package maintainer for patched package.
Honza
>
> https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677
>
> Thanks and Regards,
> S Sathish S
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home: https://www.clusterlabs.org/
>
More information about the Users
mailing list