Your message dated Sun, 03 May 2026 19:34:43 +0000
with message-id <[email protected]>
and subject line Bug#1133837: fixed in corosync 3.1.10-2
has caused the Debian Bug report #1133837,
regarding corosync: CVE-2026-35092
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133837: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133837
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: corosync
Version: CVE-2026-35092
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for corosync.
CVE-2026-35092[0]:
| A flaw was found in Corosync. An integer overflow vulnerability in
| Corosync's join message sanity validation allows a remote,
| unauthenticated attacker to send crafted User Datagram Protocol
| (UDP) packets. This can cause the service to crash, leading to a
| denial of service. This vulnerability specifically affects Corosync
| deployments configured to use totemudp/totemudpu mode.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-35092
https://www.cve.org/CVERecord?id=CVE-2026-35092
[1]
https://github.com/corosync/corosync/commit/4082294f5094a7591e4e00658c5a605f05d644f1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: corosync
Source-Version: 3.1.10-2
Done: Ferenc Wágner <[email protected]>
We believe that the bug you reported is fixed in the latest version of
corosync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ferenc Wágner <[email protected]> (supplier of updated corosync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 May 2026 19:11:34 +0200
Source: corosync
Architecture: source
Version: 3.1.10-2
Distribution: unstable
Urgency: medium
Maintainer: Debian HA Maintainers
<[email protected]>
Changed-By: Ferenc Wágner <[email protected]>
Closes: 1133837 1133838
Changes:
corosync (3.1.10-2) unstable; urgency=medium
.
* [9e54989] New patch: totemsrp: Return error if sanity check fails.
Fixes CVE-2026-35091. Thanks to Jan Friesse (Closes: #1133838)
* [662fcc1] New patch: totemsrp: Fix integer overflow in memb_join_sanity.
Fixes CVE-2026-35092. Thanks to Jan Friesse (Closes: #1133837)
* [897f05b] Update Standards-Version to 4.7.4 (no changes required)
* [267bcf5] New patch: man: drop extra .TP from corosync-keygen.8
Checksums-Sha1:
1506d90ad4b9a3c8ce9a153f52bc4cfeeee1960f 3503 corosync_3.1.10-2.dsc
07d8c25fcb9e4fe61c59ae7087d3f4fdc61a74a6 29720 corosync_3.1.10-2.debian.tar.xz
9ff52c4f41d8318b8dceea4cdcab5535a2ce806a 17413
corosync_3.1.10-2_amd64.buildinfo
Checksums-Sha256:
dbea38e78ae11d8cdd1368044dceb34321f37f1c21f02da5505a975d9aaf440c 3503
corosync_3.1.10-2.dsc
56801f27163360820534a5526cf8a563bdb1b2ef807f6cf5321a35d744cb056f 29720
corosync_3.1.10-2.debian.tar.xz
9bc4cfe158b4f8cbd71f0b053d818e577aa0baca2b8cb1d14aeecfa161550cfe 17413
corosync_3.1.10-2_amd64.buildinfo
Files:
17bdd634426a07dcf553ad9f7c311c8f 3503 admin optional corosync_3.1.10-2.dsc
234cab523a48e4a264bd846f0ff3b318 29720 admin optional
corosync_3.1.10-2.debian.tar.xz
c2d3be67fe1e55ae627527b7b6e75f89 17413 admin optional
corosync_3.1.10-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCgAdFiEEwddEx0RNIUL7eugtOsj3Fkd+2yMFAmn3gsAACgkQOsj3Fkd+
2yNF0Q/48esLD4OL1XZZXnD8N4myZcPn/6wHAN8GlK51Lb8P4bh6ezgzO+yTHtaB
+MSP9x7UfTnpacOg1yJ6DewUEVFASSjYel1MvbzMJhkkOeOKuLSiSSvAu3aykioq
WnLeS+eoZxtW/duxrgN8FjH0Fiqgr+SHuTzZTQLHu4LShjnUxuB40h6h0VwPbPt/
Ho2ajzl8BD4cGBs5dJxjO2N2Dogv682dVmQ3rxtHkDJUV+N/WEqdTKa5AL7AcLpS
UmFfsA+N/OL6Y7SARHpKFFf/vaCqIUh8aGDwZb7nGfQj9/PjDqYki/c114ATUGmn
Hx7QaMlgF5s6wRVQiOZpmAF7bFIO/ZsXAx5W2zHyQAbXpNdOiYLoBfo5HwhZXsHQ
h+q1xI4/YgETsgmmVvR3ZGuhyy+hBLcpuUw94nC15B2DCG+6ytMgm/dIrxYM6YQ1
UJawgo1tkwrVVIBN4JT4dT4vw/7eQ/bPcaosVNSjysDtXn7upEvmyiYZDa42CqOU
+VFnvr5HiAsjxhIXNLsPS1MPHdUeF9ZW8ZSqe9wsaK9JAI1mS4MYh4BZv5ZRmNJR
jTigyC/E+Lka/XAHgf4l04NDeX/U0wGZb/fARe321hf2YWZSkT5hsrrxuDgyWwws
ayft9jLJ+YmyDugzy8b9rcXEurhhi5ek9piM/yZcK9/794rxXQ==
=Umaw
-----END PGP SIGNATURE-----
pgpHfZLQWVYeU.pgp
Description: PGP signature
--- End Message ---
