openSUSE has issued an advisory on March 28: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/L63W4FOTC7DCCZ5Z6IDGHNMPP3LXH2YY/
Status comment: (none) => Patches available from openSUSECVE: (none) => CVE-2025-30472Source RPM: (none) => corosync-3.1.8-1.mga10.src.rpm, corosync-3.1.7-1.mga9.src.rpmWhiteboard: (none) => MGA9TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: Corosync through 3.1.9, if encryption is disabled or the attacker knows the encryption key, has a stack-based buffer overflow in orf_token_endian_convert in exec/totemsrp.c via a large UDP packet. (CVE-2025-30472) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/L63W4FOTC7DCCZ5Z6IDGHNMPP3LXH2YY/ ======================== Updated packages in core/updates_testing: ======================== corosync-3.1.7-1.1.mga9 lib(64)cfg7-3.1.7-1.1.mga9 lib(64)cmap4-3.1.7-1.1.mga9 lib(64)corosync-devel-3.1.7-1.1.mga9 lib(64)corosync_common4-3.1.7-1.1.mga9 lib(64)cpg4-3.1.7-1.1.mga9 lib(64)quorum5-3.1.7-1.1.mga9 lib(64)sam4-3.1.7-1.1.mga9 lib(64)votequorum8-3.1.7-1.1.mga9 from SRPM: corosync-3.1.7-1.1.mga9.src.rpm
Version: Cauldron => 9Status: NEW => ASSIGNEDStatus comment: Patches available from openSUSE => (none)Assignee: bugsquad => qa-bugsSource RPM: corosync-3.1.8-1.mga10.src.rpm, corosync-3.1.7-1.mga9.src.rpm => corosync-3.1.7-1.mga9.src.rpmWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Used work by Dave Hodgins and Lewis Smith in bug 22905. First I had to change the corosync.conf to point the logging to the "correct?" location of /var/log/corosync/corosync.log I will not make this a blocking point, bnut I find it strange that a default installation should point to a non-existing location. Further uncommented in the same conf file the line for ring0_addr and filed out with my own IP-address. Then: # systemctl start corosync.service # systemctl -l status corosync.service ● corosync.service - Corosync Cluster Engine Loaded: loaded (/usr/lib/systemd/system/corosync.service; disabled; preset: disabled) Active: active (running) since Sat 2025-04-05 14:25:23 CEST; 24s ago Docs: man:corosync man:corosync.conf man:corosync_overview Main PID: 159068 (corosync) Tasks: 9 (limit: 8806) Memory: 110.9M CPU: 444ms CGroup: /system.slice/corosync.service └─159068 /usr/sbin/corosync -f Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [SERV ] Service engine loaded: corosync cluster quorum service v0.1 [3] Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [QB ] server name: quorum Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [TOTEM ] Configuring link 0 Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [TOTEM ] Configured link number 0: local addr: 192.168.2.3, port=5405 Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [KNET ] link: Resetting MTU for link 0 because host 1 joined Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [QUORUM] Sync members[1]: 1 Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [QUORUM] Sync joined[1]: 1 Apr 05 14:25:23 mach3.hviaene.thuis systemd[1]: Started corosync.service. Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [TOTEM ] A new membership (1.5) was formed. Members joined: 1 Apr 05 14:25:23 mach3.hviaene.thuis corosync[159068]: [MAIN ] Completed service synchronization, ready to provide service. # corosync-blackbox Dumping the contents of /var/lib/corosync/fdata [debug] shm size:8392704; real_size:8392704; rb->word_size:2098176 [debug] read total of: 8392724 Ringbuffer: ->NORMAL ->write_pt [5423] ->read_pt [0] ->size [2098176 words] =>free [8371008 bytes] =>used [21692 bytes] notice Apr 05 14:25:22.459 main(1397):8: Corosync Cluster Engine 3.1.7 starting up info Apr 05 14:25:22.459 main(1398):8: Corosync built-in features: systemd pie relro bindnow debug Apr 05 14:25:22.459 totemip_parse(411):13: totemip_parse: IPv4 address of 192.168.2.3 resolved as 192.168.2.3 debug Apr 05 14:25:22.459 totemip_parse(411):13: totemip_parse: IPv4 address of 192.168.2.3 resolved as 192.168.2.3 debug Apr 05 14:25:22.469 configure_link_params(1242):13: Configuring link 0 params debug Apr 05 14:25:22.469 totemip_parse(411):13: totemip_parse: IPv4 address of 192.168.2.3 resolved as 192.168.2.3 and a lot more that I do not understand, but at least it seems to basically work.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
Validating. Since this is a security update, I'm sending it on without debating the need to edit the conf file. Correcting where it points might be something to consider for Cauldron, though.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0127.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED