<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-IN" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Honza/Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Whole situation is nicely summarized by Thomas Lamprecht:<o:p></o:p></p>
<p class="MsoNormal">Corosync either runs encrypted or in a trusted network, anything else, i.e. where this is actually a problem, is just gross negligence and leaks the whole cluster traffic already anyway.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Likelihood of attack: As mentioned above statement , In our application, Corosync encryption is enabled by default, then encryption key is secured and it access only superuser in the system. But somehow if private key "leaks"
<b>it will high impact entire cluster traffic</b>. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Requesting official release for below reason:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1) Any open-source project should use official releases rather than commit-based builds.Commit-based builds may lack thorough testing and could introduce regressions or incomplete features. In contrast, official releases undergo rigorous
validation, including CI/CD pipelines, unit tests, and integration tests. They also incorporate security patches and verified checksums to ensure integrity. Additionally, official releases provide detailed release notes and changelogs, simplifying change tracking
and version management.<o:p></o:p></p>
<p class="MsoNormal">2) Adapting the Corosync security patch independently while retaining the same version (e.g., 3.1.9) is not considered an official release by the community. As a result, when the VA scan tool is executed, vulnerabilities may still be detected
in the updated version.<o:p></o:p></p>
<p class="MsoNormal"> Reference : <a href="https://www.tenable.com/cve/CVE-2025-30472">
https://www.tenable.com/cve/CVE-2025-30472</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Therefore, it is recommended to adopt the official release for CVE-2025-30472 security fixes and
<b>provide a timeline for the expected new version that includes the reported CVE fixes</b>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks and Regards,<o:p></o:p></p>
<p class="MsoNormal">S Sathish<o:p></o:p></p>
</div>
</body>
</html>