[Bug 2110456] Re: Merge corosync from Debian Unstable for questing

Mon, 30 Jun 2025 13:41:22 -0700 

This bug was fixed in the package corosync - 3.1.9-2ubuntu1

---------------
corosync (3.1.9-2ubuntu1) questing; urgency=medium

  * Merge with Debian unstable (LP: #2110456). Remaining changes:
    - d/t/quorumtool: search for localhost instead of node1
    - d/p/Make-the-example-config-valid.patch: comment out the node name
      in config file. With this, we will keep the same behavior as we
      have in Bionic which is using the output of "uname -n" as the node
      name (LP #1874719).
    - d/p/lp1918735/0001-allow_knet_handle_fallback_default_yes.patch:
      Retry knet_handle_new without privileged flag (LP #1918735).
  * Dropped changes:
    - d/p/CVE-2025-30472.patch: check size of orf_token msg in exec/totemsrp.c
      [ Fixed in version 3.1.9-2 ]

corosync (3.1.9-2) unstable; urgency=medium

  * [d29071e] New patch: totemsrp: Check size of orf_token msg.
    Cherry-picked security fix for CVE-2025-30472, upstream commit
    7839990f9cdf34e55435ed90109e82709032466a.
    Corosync through 3.1.9, if encryption is disabled or the attacker knows
    the encryption key, has a stack-based buffer overflow in
    orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
    Thanks to Jan Friesse (Closes: #1102006)

corosync (3.1.9-1) unstable; urgency=medium

  * [f7dc244] New upstream release (3.1.9)
  * [f1ccd93] Drop upstreamed patch, refresh the rest
  * [0683a43] Update copyright years
  * [55b8efd] Update symbols files.
    Upstream commit 8d46eb01277 added version info to several already
    exported symbols.  (It also removed a couple of names from the version
    scripts, but that part does not change the export lists since the
    respective symbols have long been removed from the libraries.)  Since
    the new versions are also the default versions when resolving
    unversioned references, applications linked against the old Corosync
    libraries will find the new versioned symbols, so this change does not
    break the ABI.
  * [7e53a49] Update Standards-Version to 4.7.2 (no changes required)

 -- Renan Rodrigo <[email protected]>  Wed, 25 Jun 2025
16:23:07 -0300

** Changed in: corosync (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-30472

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2110456

Title:
  Merge corosync from Debian Unstable for questing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/corosync/+bug/2110456/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to