[ubuntu/questing-proposed] corosync 3.1.9-2ubuntu1 (Accepted)
Renan Rodrigo
renanrodrigo at canonical.com
Mon Jun 30 13:18:16 UTC 2025
corosync (3.1.9-2ubuntu1) questing; urgency=medium
* Merge with Debian unstable (LP: #2110456). Remaining changes:
- d/t/quorumtool: search for localhost instead of node1
- d/p/Make-the-example-config-valid.patch: comment out the node name
in config file. With this, we will keep the same behavior as we
have in Bionic which is using the output of "uname -n" as the node
name (LP #1874719).
- d/p/lp1918735/0001-allow_knet_handle_fallback_default_yes.patch:
Retry knet_handle_new without privileged flag (LP #1918735).
* Dropped changes:
- d/p/CVE-2025-30472.patch: check size of orf_token msg in exec/totemsrp.c
[ Fixed in version 3.1.9-2 ]
corosync (3.1.9-2) unstable; urgency=medium
* [d29071e] New patch: totemsrp: Check size of orf_token msg.
Cherry-picked security fix for CVE-2025-30472, upstream commit
7839990f9cdf34e55435ed90109e82709032466a.
Corosync through 3.1.9, if encryption is disabled or the attacker knows
the encryption key, has a stack-based buffer overflow in
orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
Thanks to Jan Friesse (Closes: #1102006)
corosync (3.1.9-1) unstable; urgency=medium
* [f7dc244] New upstream release (3.1.9)
* [f1ccd93] Drop upstreamed patch, refresh the rest
* [0683a43] Update copyright years
* [55b8efd] Update symbols files.
Upstream commit 8d46eb01277 added version info to several already
exported symbols. (It also removed a couple of names from the version
scripts, but that part does not change the export lists since the
respective symbols have long been removed from the libraries.) Since
the new versions are also the default versions when resolving
unversioned references, applications linked against the old Corosync
libraries will find the new versioned symbols, so this change does not
break the ABI.
* [7e53a49] Update Standards-Version to 4.7.2 (no changes required)
Date: Wed, 25 Jun 2025 16:23:07 -0300
Changed-By: Renan Rodrigo <renanrodrigo at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Lukas Märdian <lukas.maerdian at canonical.com>
https://launchpad.net/ubuntu/+source/corosync/3.1.9-2ubuntu1
-------------- next part --------------
Format: 1.8
Date: Wed, 25 Jun 2025 16:23:07 -0300
Source: corosync
Built-For-Profiles: noudeb
Architecture: source
Version: 3.1.9-2ubuntu1
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Renan Rodrigo <renanrodrigo at canonical.com>
Closes: 1102006
Launchpad-Bugs-Fixed: 2110456
Changes:
corosync (3.1.9-2ubuntu1) questing; urgency=medium
.
* Merge with Debian unstable (LP: #2110456). Remaining changes:
- d/t/quorumtool: search for localhost instead of node1
- d/p/Make-the-example-config-valid.patch: comment out the node name
in config file. With this, we will keep the same behavior as we
have in Bionic which is using the output of "uname -n" as the node
name (LP #1874719).
- d/p/lp1918735/0001-allow_knet_handle_fallback_default_yes.patch:
Retry knet_handle_new without privileged flag (LP #1918735).
* Dropped changes:
- d/p/CVE-2025-30472.patch: check size of orf_token msg in exec/totemsrp.c
[ Fixed in version 3.1.9-2 ]
.
corosync (3.1.9-2) unstable; urgency=medium
.
* [d29071e] New patch: totemsrp: Check size of orf_token msg.
Cherry-picked security fix for CVE-2025-30472, upstream commit
7839990f9cdf34e55435ed90109e82709032466a.
Corosync through 3.1.9, if encryption is disabled or the attacker knows
the encryption key, has a stack-based buffer overflow in
orf_token_endian_convert in exec/totemsrp.c via a large UDP packet.
Thanks to Jan Friesse (Closes: #1102006)
.
corosync (3.1.9-1) unstable; urgency=medium
.
* [f7dc244] New upstream release (3.1.9)
* [f1ccd93] Drop upstreamed patch, refresh the rest
* [0683a43] Update copyright years
* [55b8efd] Update symbols files.
Upstream commit 8d46eb01277 added version info to several already
exported symbols. (It also removed a couple of names from the version
scripts, but that part does not change the export lists since the
respective symbols have long been removed from the libraries.) Since
the new versions are also the default versions when resolving
unversioned references, applications linked against the old Corosync
libraries will find the new versioned symbols, so this change does not
break the ABI.
* [7e53a49] Update Standards-Version to 4.7.2 (no changes required)
Checksums-Sha1:
45c7738b381564223d0183de05e4e75dfa8e8df5 3355 corosync_3.1.9-2ubuntu1.dsc
2ceb27fe91b45d64eabbfec59ae1937e71697296 1173752 corosync_3.1.9.orig.tar.gz
66409ff9a0a9e90c32ed211a8a00a986ef24cbae 31108 corosync_3.1.9-2ubuntu1.debian.tar.xz
53d07f0203770db75495c2b70469f80498d37c67 8561 corosync_3.1.9-2ubuntu1_source.buildinfo
Checksums-Sha256:
8991eccd84760ae9fb35b2b373060919ed5f854bf77b6584c5118b74ac9c84b6 3355 corosync_3.1.9-2ubuntu1.dsc
203354bbddee1a97b3c50a076eae89c635f406dd674ccaefc94bb9092acd9535 1173752 corosync_3.1.9.orig.tar.gz
eecb9f525ba160376c58606789abca8fcef7629825a4a8a6b02474ee72d1973c 31108 corosync_3.1.9-2ubuntu1.debian.tar.xz
022ac9013f88d0309209f982f009f3e5f4209f33c72000a42a9ac2b7fb176a03 8561 corosync_3.1.9-2ubuntu1_source.buildinfo
Files:
c2a74cbb24e3e8109abc3c63c3b3cd23 3355 admin optional corosync_3.1.9-2ubuntu1.dsc
4d2ec0131fbce1e30773903a19d3f064 1173752 admin optional corosync_3.1.9.orig.tar.gz
361f79e52d90b0b7a7ecdffdad13eff2 31108 admin optional corosync_3.1.9-2ubuntu1.debian.tar.xz
9067b6353a118ce44f18ec639b3ce124 8561 admin optional corosync_3.1.9-2ubuntu1_source.buildinfo
Original-Maintainer: Debian HA Maintainers <debian-ha-maintainers at lists.alioth.debian.org>
Vcs-Git: https://git.launchpad.net/~slyon/ubuntu/+source/corosync
Vcs-Git-Commit: 6764c14b97c3f2bd968745f9519d36dd2baad93a
Vcs-Git-Ref: refs/heads/merge-lp2110456-questing
More information about the Questing-changes
mailing list