[Debian-ha-maintainers] Bug#1102006: corosync: CVE-2025-30472
Ferenc Wágner
wferi at debian.org
Fri Apr 4 08:58:41 BST 2025
Salvatore Bonaccorso <carnil at debian.org> writes:
> CVE-2025-30472[0]:
> | Corosync through 3.1.9, if encryption is disabled or the attacker
> | knows the encryption key, has a stack-based buffer overflow in
> | orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-30472
> https://www.cve.org/CVERecord?id=CVE-2025-30472
> [1] https://github.com/corosync/corosync/issues/778
Dear Salvatore,
Considering the linked discussion with Corosync upstream, do you think
Debian should release a patched package to bookworm? According to the
security tracker, this is a postponed minor issue in bullseye, and I do
not see why it would be weighted differently anywhere else. If it is, I
am willing to backport the patch and prepare updates packages for
bookworm and unstable. Upstream has not released a new version yet.
--
Thanks for your guidance,
Feri.
More information about the Debian-ha-maintainers
mailing list