[ClusterLabs] CVE-2025-30472 mitigation need to provided newer version to adapt in our application

VoIP voip at mesaproyectos.com
Fri Mar 28 06:55:54 UTC 2025


-1

if you are not satisfied with the management of the software, use 
another, maybe commercial. Demanding without giving is not the 
philosophy of Open Source.

Regards

El 28/03/2025 a las 1:46 a. m., S Sathish S via Users escribió:
>
> Hi Honza/Team,
>
> Whole situation is nicely summarized by Thomas Lamprecht:
>
> Corosync either runs encrypted or in a trusted network, anything else, 
> i.e. where this is actually a problem, is just gross negligence and 
> leaks the whole cluster traffic already anyway.
>
> Likelihood of attack: As mentioned above statement , In our 
> application, Corosync encryption is enabled by default, then 
> encryption key is secured and it access only superuser in the system. 
> But somehow if private key "leaks" *it will high impact entire cluster 
> traffic*.
>
> Requesting official release for below reason:
>
> 1) Any open-source project should use official releases rather than 
> commit-based builds.Commit-based builds may lack thorough testing and 
> could introduce regressions or incomplete features. In contrast, 
> official releases undergo rigorous validation, including CI/CD 
> pipelines, unit tests, and integration tests. They also incorporate 
> security patches and verified checksums to ensure integrity. 
> Additionally, official releases provide detailed release notes and 
> changelogs, simplifying change tracking and version management.
>
> 2) Adapting the Corosync security patch independently while retaining 
> the same version (e.g., 3.1.9) is not considered an official release 
> by the community. As a result, when the VA scan tool is executed, 
> vulnerabilities may still be detected in the updated version.
>
>               Reference : https://www.tenable.com/cve/CVE-2025-30472
>
> Therefore, it is recommended to adopt the official release for 
> CVE-2025-30472 security fixes and *provide a timeline for the expected 
> new version that includes the reported CVE fixes*.
>
> Thanks and Regards,
>
> S Sathish
>
>
> _______________________________________________
> Manage your subscription:
> https://lists.clusterlabs.org/mailman/listinfo/users
>
> ClusterLabs home:https://www.clusterlabs.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20250328/50240d8d/attachment.htm>


More information about the Users mailing list