<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>-1</p>
<p><span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span
class="ryNqvb">if you are not satisfied with the management
of the software, use another, maybe commercial.</span></span>
<span class="jCAhz ChMk0b"><span class="ryNqvb">Demanding
without giving is not the philosophy of Open Source.</span></span></span></p>
<p><span class="HwtZe" lang="en"><span class="jCAhz ChMk0b"><span
class="ryNqvb">Regards<br>
</span></span></span></p>
<div class="moz-cite-prefix">El 28/03/2025 a las 1:46 a. m., S
Sathish S via Users escribió:<br>
</div>
<blockquote type="cite"
cite="mid:DU0PR07MB86413BFEEFD49A8D77286AAFD5A02@DU0PR07MB8641.eurprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Honza/Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Whole situation is nicely summarized by
Thomas Lamprecht:<o:p></o:p></p>
<p class="MsoNormal">Corosync either runs encrypted or in a
trusted network, anything else, i.e. where this is actually a
problem, is just gross negligence and leaks the whole cluster
traffic already anyway.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Likelihood of attack: As mentioned above
statement , In our application, Corosync encryption is enabled
by default, then encryption key is secured and it access only
superuser in the system. But somehow if private key "leaks"
<b>it will high impact entire cluster traffic</b>. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Requesting official release for below
reason:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1) Any open-source project should use
official releases rather than commit-based builds.Commit-based
builds may lack thorough testing and could introduce
regressions or incomplete features. In contrast, official
releases undergo rigorous validation, including CI/CD
pipelines, unit tests, and integration tests. They also
incorporate security patches and verified checksums to ensure
integrity. Additionally, official releases provide detailed
release notes and changelogs, simplifying change tracking and
version management.<o:p></o:p></p>
<p class="MsoNormal">2) Adapting the Corosync security patch
independently while retaining the same version (e.g., 3.1.9)
is not considered an official release by the community. As a
result, when the VA scan tool is executed, vulnerabilities may
still be detected in the updated version.<o:p></o:p></p>
<p class="MsoNormal"> Reference : <a
href="https://www.tenable.com/cve/CVE-2025-30472"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://www.tenable.com/cve/CVE-2025-30472</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Therefore, it is recommended to adopt the
official release for CVE-2025-30472 security fixes and
<b>provide a timeline for the expected new version that
includes the reported CVE fixes</b>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks and Regards,<o:p></o:p></p>
<p class="MsoNormal">S Sathish<o:p></o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
Manage your subscription:
<a class="moz-txt-link-freetext" href="https://lists.clusterlabs.org/mailman/listinfo/users">https://lists.clusterlabs.org/mailman/listinfo/users</a>
ClusterLabs home: <a class="moz-txt-link-freetext" href="https://www.clusterlabs.org/">https://www.clusterlabs.org/</a>
</pre>
</blockquote>
</body>
</html>