Hi Ferenc, On Fri, Apr 04, 2025 at 09:58:41AM +0200, Ferenc Wágner wrote: > Salvatore Bonaccorso <[email protected]> writes: > > > CVE-2025-30472[0]: > > | Corosync through 3.1.9, if encryption is disabled or the attacker > > | knows the encryption key, has a stack-based buffer overflow in > > | orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-30472 > > https://www.cve.org/CVERecord?id=CVE-2025-30472 > > [1] https://github.com/corosync/corosync/issues/778 > > Dear Salvatore, > > Considering the linked discussion with Corosync upstream, do you think > Debian should release a patched package to bookworm? According to the > security tracker, this is a postponed minor issue in bullseye, and I do > not see why it would be weighted differently anywhere else. If it is, I > am willing to backport the patch and prepare updates packages for > bookworm and unstable. Upstream has not released a new version yet.
Right I do not think this will for instance warrant a DSA. I would propose to include the fix just in a point release either together with other fixes or once a more important issue arises for corosync. I will mark it as no-dsa later in the tracker. Regards, Salvatore

