[ClusterLabs] CVE-2025-30472 mitigation need to provided newer version to adapt in our application

Jan Friesse jfriesse at redhat.com
Thu Mar 27 16:25:21 UTC 2025


Hi,

On 27/03/2025 14:40, S Sathish S via Users wrote:
> Hi Team,
> 
> In our application we are using below corosync version where CVE-2025-30472 are impacted and same reported in our VA tool scan,  Look like subjected CVE is mitigated with below commit message . if yes please release newer version of corosync to integrate in our system.

As written in comments for GH issue, the problem appears only when 
corosync runs unencrypted or if private key "leaks".

Whole situation is nicely summarized by Thomas Lamprecht:
Corosync either runs encrypted or in a trusted network, anything else, 
i.e. where this is actually a problem, is just gross negligence and 
leaks the whole cluster traffic already anyway.

Honestly I don't see any reason to release new upstream version right 
now. You can always patch corosync yourself, use kronosnet ci generated 
builds (we have them for reason) or (if using distribution version) ask 
distribution package maintainer for patched package.

Honza

> 
> https://github.com/corosync/corosync/blob/73ba225cc48ebb1903897c792065cb5e876613b0/exec/totemsrp.c#L4677
> 
> Thanks and Regards,
> S Sathish S
> 
> 
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
> 
> ClusterLabs home: https://www.clusterlabs.org/
> 



More information about the Users mailing list