[ClusterLabs] CVE-2025-30472 mitigation need to provided newer version to adapt in our application

Jan Friesse jfriesse at redhat.com
Fri Mar 28 08:03:00 UTC 2025 

On 28/03/2025 07:46, S Sathish S wrote:
> Hi Honza/Team,
> 
> Whole situation is nicely summarized by Thomas Lamprecht:
> Corosync either runs encrypted or in a trusted network, anything else, i.e. where this is actually a problem, is just gross negligence and leaks the whole cluster traffic already anyway.
> 
> Likelihood of attack: As mentioned above statement , In our application, Corosync encryption is enabled by default, then encryption key is secured and it access only superuser in the system. But somehow if private key "leaks" it will high impact entire cluster traffic.

True. If private key "leaks" it will high impact whole cluster.

Please realize this is general truth. Fixing the bug you've mentioned 
doesn't help any single bit in case of "leaked" private key.


> 
> Requesting official release for below reason:
> 
> 1) Any open-source project should use official releases rather than commit-based builds.Commit-based builds may lack thorough testing and could introduce regressions or incomplete features. In contrast, official releases undergo rigorous validation, including CI/CD pipelines, unit tests, and integration tests. They also incorporate security patches and verified checksums to ensure integrity. Additionally, official releases provide detailed release notes and changelogs, simplifying change tracking and version management.

Honestly, this looks like AI generated content. One of solutions which 
I've recommended was to use Knet CI generated builds which undergoes 
same validation for every single PR/merged commit.


> 2) Adapting the Corosync security patch independently while retaining the same version (e.g., 3.1.9) is not considered an official release by the community. As a result, when the VA scan tool is executed, vulnerabilities may still be detected in the updated version.

Ok, so you are saying RHEL/Debian/... packages which has same version 
and only increase Release part of full package version are not 
considered official release? And there is really serious vulnerability 
scan tool which checks only version part? If so, please consider move to 
something more serious.


>                Reference : https://www.tenable.com/cve/CVE-2025-30472
> 
> Therefore, it is recommended to adopt the official release for CVE-2025-30472 security fixes and provide a timeline for the expected new version that includes the reported CVE fixes.

I'm expecting to cut release later this year if nothing urgent appears. 
Also because I really want to play with the mentioned bug reproduced for 
a while to check if there is more similar bugs or not, so when new 
release is cut I can say "with some level of confidence I can say 
parsing of network data should be safe".



> 
> Thanks and Regards,
> S Sathish
>

More information about the Users mailing list