Hi Honza/Team,
Whole situation is nicely summarized by Thomas Lamprecht:
Corosync either runs encrypted or in a trusted network, anything else, i.e.
where this is actually a problem, is just gross negligence and leaks the whole
cluster traffic already anyway.
Likelihood of attack: As mentioned above statement , In our application,
Corosync encryption is enabled by default, then encryption key is secured and
it access only superuser in the system. But somehow if private key "leaks" it
will high impact entire cluster traffic.
Requesting official release for below reason:
1) Any open-source project should use official releases rather than
commit-based builds.Commit-based builds may lack thorough testing and could
introduce regressions or incomplete features. In contrast, official releases
undergo rigorous validation, including CI/CD pipelines, unit tests, and
integration tests. They also incorporate security patches and verified
checksums to ensure integrity. Additionally, official releases provide detailed
release notes and changelogs, simplifying change tracking and version
management.
2) Adapting the Corosync security patch independently while retaining the same
version (e.g., 3.1.9) is not considered an official release by the community.
As a result, when the VA scan tool is executed, vulnerabilities may still be
detected in the updated version.
Reference : https://www.tenable.com/cve/CVE-2025-30472
Therefore, it is recommended to adopt the official release for CVE-2025-30472
security fixes and provide a timeline for the expected new version that
includes the reported CVE fixes.
Thanks and Regards,
S Sathish
_______________________________________________
Manage your subscription:
https://lists.clusterlabs.org/mailman/listinfo/users
ClusterLabs home: https://www.clusterlabs.org/
