[ClusterLabs] CVE-2025-30472 mitigation need to provided newer version to adapt in our application
VoIP
voip at mesaproyectos.com
Fri Mar 28 06:55:54 UTC 2025
-1
if you are not satisfied with the management of the software, use
another, maybe commercial. Demanding without giving is not the
philosophy of Open Source.
Regards
El 28/03/2025 a las 1:46 a. m., S Sathish S via Users escribió:
>
> Hi Honza/Team,
>
> Whole situation is nicely summarized by Thomas Lamprecht:
>
> Corosync either runs encrypted or in a trusted network, anything else,
> i.e. where this is actually a problem, is just gross negligence and
> leaks the whole cluster traffic already anyway.
>
> Likelihood of attack: As mentioned above statement , In our
> application, Corosync encryption is enabled by default, then
> encryption key is secured and it access only superuser in the system.
> But somehow if private key "leaks" *it will high impact entire cluster
> traffic*.
>
> Requesting official release for below reason:
>
> 1) Any open-source project should use official releases rather than
> commit-based builds.Commit-based builds may lack thorough testing and
> could introduce regressions or incomplete features. In contrast,
> official releases undergo rigorous validation, including CI/CD
> pipelines, unit tests, and integration tests. They also incorporate
> security patches and verified checksums to ensure integrity.
> Additionally, official releases provide detailed release notes and
> changelogs, simplifying change tracking and version management.
>
> 2) Adapting the Corosync security patch independently while retaining
> the same version (e.g., 3.1.9) is not considered an official release
> by the community. As a result, when the VA scan tool is executed,
> vulnerabilities may still be detected in the updated version.
>
> Reference : https://www.tenable.com/cve/CVE-2025-30472
>
> Therefore, it is recommended to adopt the official release for
> CVE-2025-30472 security fixes and *provide a timeline for the expected
> new version that includes the reported CVE fixes*.
>
> Thanks and Regards,
>
> S Sathish
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home:https://www.clusterlabs.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20250328/50240d8d/attachment.htm>
More information about the Users
mailing list