-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 26 May 2025 18:37:03 +0200 Source: pgbouncer Architecture: source Version: 1.15.0-1+deb11u1 Distribution: bullseye-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org> Changed-By: Andreas Henriksson <andreas@fatal.se> Changes: pgbouncer (1.15.0-1+deb11u1) bullseye-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. . [ Christoph Berg ] * CVE-2021-3539: d/p/e4453c9151a2f5af0a9cb049b302a3f9f9654453.patch Make PgBouncer acting as a server reject extraneous data after an SSL or GSS encryption handshake. . A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if PgBouncer did not demand any authentication data. (However, a PgBouncer setup relying on SSL certificate authentication might well not do so.) . (Similar to CVE-2021-23214 in the PostgreSQL server.) . [ Andreas Henriksson ] * CVE-2025-2291: d/p/9912ee7f1af2e1b81d4d624a0da1cb49075ee78a.patch Account for VALID UNTIL in auth_query (fixes CVE-2025-2291) Previously PgBouncer did not take into account the VALID UNTIL of a user password when querying for password hashes using its auth_query. So if PgBouncer is used as a transparent proxy in front of Postgres it could allow passwords that had already expired. . To solve this issue this changes the default auth_query and the examples of custom auth_query functions in the documentation to take VALID UNTIL into account. . Since this can be considered a security issue in setups where VALID UNTIL is used to limit exposure of leaked passwords, this is tracked as CVE-2025-2291. Checksums-Sha1: a9332563a611e21137f18ab8a4437f7c93ac12d0 2245 pgbouncer_1.15.0-1+deb11u1.dsc ea7e9dbcab178f439a0fa402a78a7f1e4f43e6d4 588042 pgbouncer_1.15.0.orig.tar.gz 6f7500fd3e813c7a7cd37c31fc748acdfc574219 13540 pgbouncer_1.15.0-1+deb11u1.debian.tar.xz 89528d66cab300f5d46966937153e58564bdbf77 6920 pgbouncer_1.15.0-1+deb11u1_source.buildinfo Checksums-Sha256: c3b8130e45a5b11b2d7d840c6ef28eef18567e009e479770640ad95cde996041 2245 pgbouncer_1.15.0-1+deb11u1.dsc e05a9e158aa6256f60aacbcd9125d3109155c1001a1d1c15d33a37c685d31380 588042 pgbouncer_1.15.0.orig.tar.gz 130b3fa74eff89722a4fcf91b91c9547dfeaa9f2db17114d2c1b78b4511e3cee 13540 pgbouncer_1.15.0-1+deb11u1.debian.tar.xz 1282bdf8ecf3f60f8e71836e279bdb6409dc12c9e11ae00aa55d2ed16fe4ed24 6920 pgbouncer_1.15.0-1+deb11u1_source.buildinfo Files: 4ab3c7538b32ec6ceaf5b494f92eef61 2245 database optional pgbouncer_1.15.0-1+deb11u1.dsc 1276f106df7dc49bac756ddd31abc558 588042 database optional pgbouncer_1.15.0.orig.tar.gz 5faa8044ee0a1a3857e0f7a22624a7f6 13540 database optional pgbouncer_1.15.0-1+deb11u1.debian.tar.xz 803e6a712e47fca7fedbd5c638dc3402 6920 database optional pgbouncer_1.15.0-1+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmg01IkACgkQC8R9xk0T Uwa6gg/+Koi48QkW1f4ck8g+yBuJaxtzwmhr98Diw5EqjNn5Fz2iFmBTtzbMlO+I aXGcQhymAWBdt/9QO9pVvNSea2EDat+tFX71Wm/y9wUCbtn4lZQmBt0DECwP/01v KZpKHwzxcLIL8EHqSU77SGv9V9dBCRxxS2YUUKw/h4+ri/zat2oChLHRygmqWYV3 xJmnndEcdw0QBCYVJ+tuQLaEjP8qPkyNeUJKfXgW8djxBVxAedfb0xBXEfPUvizd NahD4D+fT9mehcWkXmi+L3le8NoSUyRb2+r1yLkIpjR5D3K+zFCWiW20pmsIsW/0 ShIyeW1jD7K5zbfzgibMsHNSmEA3u4OgidLi8L5Sm0IN0b/hTzk+W8lsJ1SHVw7V lCYgkrh/EzxakdrZ2g2OVe1F4aLvOktOO7HXrYkX2ovPPJ/TXGChyhu8PCtilo6j UhoVL3qR+uqXG3Ue0k/XHyaLbGnS+6XQcRStsPSef/d71i9KWBmsvBcsTqNoA2RZ jRrCmKnzktaIbeizq+Kf/iI1TCLHEv27FaYY2fw6e1XQE//pgIQUhut1deSdGEkN +WtIn4e4zDNbhqWG2N6GQNmvVb+xB+7Q7X33jk3RPXF38govC7AosLoj/dsZUQHM aYU96HYnk3U8EvnHcilJ3ALZhqAruQkCvUSCr4Q1ZsneSJ5KKdc= =HTg5 -----END PGP SIGNATURE-----
