Debian alert DLA-4608-1 (corosync)
| From: | Emmanuel Arias <eamanu@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4608-1] corosync security update | |
| Date: | Sat, 30 May 2026 00:26:55 -0300 | |
| Message-ID: | <ahpY_-1smlO_6t5M@debian> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4608-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Emmanuel Arias May 30, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : corosync Version : 3.1.2-2+deb11u2 CVE ID : CVE-2026-35091 CVE-2026-35092 Debian Bug : 1133837 1133838 Two vulnerabilities have been found in corosync, a cluster engine daemon and utilities, that allow a remote, unauthenticated attacker to cause a denial of service. CVE-2026-35091 A remote unauthenticated attacker can exploit a wrong return value vulnerability in the Corosync membership commit token sanity check by sending a specially crafted User Datagram Protocol (UDP) packet. This can lead to an out-of-bounds read, causing a denial of service (DoS) and potentially disclosing limited memory contents. CVE-2026-35092 An integer overflow vulnerability in Corosync's join message sanity validation allows a remote, unauthenticated attacker to send crafted User Datagram Protocol (UDP) packets. This can cause the service to crash, leading to a denial of service. For Debian 11 bullseye, these problems have been fixed in version 3.1.2-2+deb11u2. We recommend that you upgrade your corosync packages. For the detailed security status of corosync please refer to its security tracker page at: https://security-tracker.debian.org/tracker/corosync Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmoaWP4ACgkQ+p3sXeEc Y/EYGxAAt1cpi2ol5xuy0hP/9wq6faeDm1iODu+XuFWEG0YwuNpz87kPJbHUbZN5 w+IrCBYNl4sRuioYIOMAvkdNbdUJpfXtLQPToOV7YcndJAojo1tS3HXrmAqyPyXT GnEXkT3reYQU9ZUNA6GkRKPF4MMj+aBXQ2obE6JTzibCs6z7kgwSr51j94bTEcPh lnF3huY7NERg5bVHjOEu6xA1UpXIzkruIP8Ugt6pIUjJDJlBVdK+jgpO4Yi3XKUP Ur26m5U8Gj1KxWw9OoZ7Ll201GLp6nNYDwN1jBxQnzgBXizAZiDsnpUd1FYavX0B e+ePd+p9Lzn/touWIoyeDF2Ke9rINez6eL7eLVBjfTD1hPyrC2VCkxv3CqkZkTer uy9GLXA/2fUZn4QVx1sSmI7tBwal5sqeh8bohgGvqWvoTtkB4WYTZHEHEVM6DjO3 h0eRdNVl51U/5prstQ2DRMpAkFS8+yrxyh/RC5qrX/xJI8VVmh5n1ybw1bVVXkmV 41ZDohDmcL/18l6/bBU1SYe0uFP+ZEVgcr/mtjy4DP9hk0P9yAQ1Uxlwtd51oywS NVEVu6fVRrVFg63eV2zCLtOvwldV3GBYma6qkb1nWoIuh7AqpSgidvGi+IVRLnCa eh+mHOgj0WrlExZI9S7i1A7exxcj/u7pThkX0Ml+PcCYVaMIom0= =XN9F -----END PGP SIGNATURE-----