-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 26 Nov 2021 11:19:53 +0100 Source: pgbouncer Architecture: source Version: 1.16.1-1 Distribution: unstable Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Christoph Berg <myon@debian.org> Changes: pgbouncer (1.16.1-1) unstable; urgency=medium . * New upstream version. . Make PgBouncer acting as a server reject extraneous data after an SSL or GSS encryption handshake. . A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if PgBouncer did not demand any authentication data. (However, a PgBouncer setup relying on SSL certificate authentication might well not do so.) . (Similar to CVE-2021-23214 in the PostgreSQL server.) Checksums-Sha1: 924abc86c55ff40359c092dcad4d76d34d4f93d5 2213 pgbouncer_1.16.1-1.dsc 14c75af0b5a11b0363b6146170b516db498fc998 591450 pgbouncer_1.16.1.orig.tar.gz 3f67f1faa7f1c9d304d452374057a572a43b0ee7 10268 pgbouncer_1.16.1-1.debian.tar.xz Checksums-Sha256: c64d1f493b83eb2f12f9255d7ecdd2f1df89b12ee5db844b0f71abd2ee6bcdff 2213 pgbouncer_1.16.1-1.dsc 087477e9e4766d032b04b7b006c0c8d64160a54141a7bfc2c6e5ae7ae11bf7fc 591450 pgbouncer_1.16.1.orig.tar.gz b4245e351a2611403d86cbae79b2e0622e2363413f4ff628084b93029d510c86 10268 pgbouncer_1.16.1-1.debian.tar.xz Files: 195bd42c151d77e8db0cdc91efb0b849 2213 database optional pgbouncer_1.16.1-1.dsc c9cc6318f97f1a55d026b6df3a42fa3d 591450 database optional pgbouncer_1.16.1.orig.tar.gz e1a6bd8e40d3d2634dc240e836b4f79b 10268 database optional pgbouncer_1.16.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmGguNgACgkQTFprqxLS p6430Q//QjYdt259DqAvmn4ACh5eadapgNRW2YZO+/t9zZz0cYMVUkSwriMWFPW8 MvWv8qne/tbgo2MXeMWMfC4z8aC2x3npkr2Wey4+7F6onFnX3rblnDwNqYVg3K6Q b+guIC0w1NZwCHTwXyv9v9F5lxYELaIj8MF0OeDw7UiM9/uOn37JNpN1C30yikJn ihrgqEH54O9MA1qw63joMYgGIhjO4Mj9fbPL+Ohw1ktg3iK5XxYD6tFOJKW8e6eL 3VnQ2AYEuF/mT8Gskg585iQB7OoQKhaYWZK0fxrwHxU+Qgojx2+Yhsp09TvBwzww pwBmPZ7CRhiUi6k3EPxGlZo/X8J36Z5D+NySOQxGPnNUjqe9yjzB+S+gssVCl3RP 0sXPb+L49q6MzyG9S82L9v/5YPf33NRX8xK53HAMjXrn35BP6aeowSKzaCYnFXIf QtZ19RejBUK9NjPynNcFNKpylpU4GrkAEnt2W3xzKxYK1/csPFXJYqfK2S8SRB6Q BibyFtB9SYtzEfuwT1HW7EVOSTLXpqvVTN65MMNmaogm4s5FKX6yYC52CnxEuFED jBTpQhvNikoEeDFgz63I5Jx0rFD+8G1qid3G59t48Pvw4BwFXXpF9h/06VzxfOWI WTgHAAObSyf1j0mSgcyHv9KNuePZ7W0H/fnBtM1m4FWiFAIBtTs= =hx+P -----END PGP SIGNATURE-----