-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 28 May 2026 15:05:50 -0300 Source: corosync Architecture: source Version: 3.1.2-2+deb11u2 Distribution: bullseye-security Urgency: high Maintainer: Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Arias <eamanu@debian.org> Closes: 1133837 1133838 Changes: corosync (3.1.2-2+deb11u2) bullseye-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2026-35091: Fix a flawn to return error if sanity check fails (Closes: #1133838). - Previously, the check_memb_commit_token_sanity function correctly checked the minimum message length. However, if the message was too short, it incorrectly returned a success code (0) instead of the expected failure code (-1). * CVE-2026-35092: Fix an integer overflow vulnerability in the check_memb_join_sanity function (Closes: #1133837). - Cast the list entries to size_t and verify that neither exceeds the maximum allowed value before the addition occurs. Checksums-Sha1: 1b439ed9a0bbc45ca15cf67e7c266c9128fea2d6 3525 corosync_3.1.2-2+deb11u2.dsc f14a34522ecef9f18de48fb1c2b9de3cade5228c 28532 corosync_3.1.2-2+deb11u2.debian.tar.xz 6b04f9f6cf008f431b6872a07821b9379926b74a 17569 corosync_3.1.2-2+deb11u2_amd64.buildinfo Checksums-Sha256: 6f53293c0e46025b0a892ca46eebc99d8fe71a07d3cd34be82848ff6e82b956a 3525 corosync_3.1.2-2+deb11u2.dsc 1e50de7ff4a50276139e73c11391e394990913b4f6da14579d47fd8b1af885f6 28532 corosync_3.1.2-2+deb11u2.debian.tar.xz 6315797b37a6f4b10225b0f9a89d3d3e88655b7b611ea8701a4263316a844d28 17569 corosync_3.1.2-2+deb11u2_amd64.buildinfo Files: f083c0e911a4bd75bfebd790f60bedd6 3525 admin optional corosync_3.1.2-2+deb11u2.dsc 8c9fbfc04da3cab376e0c3c5be02a967 28532 admin optional corosync_3.1.2-2+deb11u2.debian.tar.xz 0f5b98c08adbe385f3f9805a8f24e5f7 17569 admin optional corosync_3.1.2-2+deb11u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEE3lnVbvHK7ir4q61+p3sXeEcY/EFAmoZ9QESHGVhbWFudUBk ZWJpYW4ub3JnAAoJEPqd7F3hHGPxxO0P/RrcNRFxMclk5jAWwCtCxLb+ZqL4Fkpt gDXCJOyhwVGJ8HwLz7Tjipx/j9ze7twh7cANjb1z5/h4yeIH/bnUIk8x817Q5OGn 1gj5XpT53GEvM3uEZzmUHsug4OaFxUIs7TIcJ1FzOCdaZ+UzNFbRG9tUtZEk8pIb j1RZsn4q75MfZfYRzQeDLQ/S4BVNYp7R0p6gRjAT4TEMX/1jwVMi2kCk857/IgT6 E3qw+SiBZzt7nzya09c/KYR/kul4qE3gcxdf+Cy7+UYh7bhRw92tOo5AHS7JClLj erecCIKyoPs8OACY8q81jXSThnLHzku7zlN3mmdaEbrlihbg7ahoDa2uXl3hZ/aq yQFPqAGL9o8SJ3o3o7URWDDdFBXw+PvZybiUnoaEXXfO9UgeHC8YWJQBDxRq+PgS 76fAxreqp7Sup8jZ6hnX6UPEShzzHcgH57QYDelba7AkHtD3IJvUpiiPOB14H/eq MDO3gAYdObKW1UQxv2FsITKqBxGtPVnONQHizRYzSvlIBGFhRFDdzzRwLUuhfW3m GKgEF6DXedVDves8wCGt3M5YoAPs6jJkOf0Axo5rvPtX1FW+UYSI/eUtwIgPgHTV D7ifq3m/rH3tAlci/wfNRvNdKgU3vVeX8awcgyN3gPHJN7iqAWAe1bHfshjj51le AibDrNvRD3rt =K2hB -----END PGP SIGNATURE-----
