Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted pgpool2 4.1.4-3+deb11u2 (source) into oldoldstable-security
Date: Thu, 16 Oct 2025 20:00:23 +0000
Signed by: Bastien ROUCARIÈS <rouca@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Oct 2025 11:02:59 +0200
Source: pgpool2
Architecture: source
Version: 4.1.4-3+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Closes: 1106119
Changes:
 pgpool2 (4.1.4-3+deb11u2) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * Fix CVE-2025-46801 (Closes: #1106119)
     Pgpool-II  contains an
     authentication bypass by primary weakness vulnerability. if the
     vulnerability is exploited, an attacker may be able to log in to the
     system as an arbitrary user, allowing them to read or tamper with
     data in the database, and/or disable the database.
     .
     If enable_pool_hba = on, it's auth method is "password", no password
     is registered in pool_passwd, and auth method in pg_hba.conf is
     "scram-sha-256" or "md5", for the first time when a client connects to
     pgpool, authentication is performed as expected. But if a client
     connects to the cached connection, any password from the client is
     accepted.
     .
     This vulnerability affects systems where the authentication configuration
     matches one of the following patterns:
     .
     Pattern 1: This vulnerability occurs when all of the following conditions
     are met:
     .
     - The password authentication method is used in pool_hba.conf
     - allow_clear_text_frontend_auth = off
     - The user's password is not set in pool_passwd
     - The scram-sha-256 or md5 authentication method is used in pg_hba.conf
     .
     Pattern 2: This vulnerability occurs when all of the following conditions
     are met:
     .
     - enable_pool_hba = off
     - One of the following authentication methods is used in pg_hba.conf:
       password, pam, or ldap
     .
     Pattern 3: This vulnerability occurs when all of the following conditions
     are met:
     .
     - Raw mode is used (backend_clustering_mode = 'raw')
     - The md5 authentication method is used in pool_hba.conf
     - allow_clear_text_frontend_auth = off
     - The user's password is registered in pool_passwd in plain text or AES
       format
     - One of the following authentication methods is used in pg_hba.conf:
       password, pam, or ldap
     .
     Alternatively, you can modify your settings so that they do not match any
     of the vulnerable configuration patterns.
   * debian/tests/jdbc-tests: Use scram-sha-256 authentication.
Checksums-Sha1:
 e6b850965edfbd79f691c14891010a511364fe33 2674 pgpool2_4.1.4-3+deb11u2.dsc
 7b287d0b76d4df85d3fbdb9d818e91350d50c3a7 4276591 pgpool2_4.1.4.orig.tar.gz
 73aedf127e4f1eab5e2a1b4c49d7faea6222177b 33064 pgpool2_4.1.4-3+deb11u2.debian.tar.xz
 b55b1c26b84e594e50df4d3ff862f23935f5936a 5987 pgpool2_4.1.4-3+deb11u2_source.buildinfo
Checksums-Sha256:
 c3f4a4bc42f40802713d7354d1f2c3971f68003159de29c141fff2ce9fb6ca76 2674 pgpool2_4.1.4-3+deb11u2.dsc
 b793d516e21653e08b821af4816f69db262d876d9876372e9aa4f4539e1b6bb5 4276591 pgpool2_4.1.4.orig.tar.gz
 85920c406974fa4eb4494628ad5bee5b284a7713d9089685608801a46ac62431 33064 pgpool2_4.1.4-3+deb11u2.debian.tar.xz
 4c4f154fd42c060ed1a4df5558b6637f9bf270c14451edbcdb786349c7bb436c 5987 pgpool2_4.1.4-3+deb11u2_source.buildinfo
Files:
 97452648d5b1e6cfdecbd4cce837b071 2674 database optional pgpool2_4.1.4-3+deb11u2.dsc
 e41caf4f756e337eb894d0c7dde3c5f9 4276591 database optional pgpool2_4.1.4.orig.tar.gz
 3d296373aa65560c26f3fbd60e6d1975 33064 database optional pgpool2_4.1.4-3+deb11u2.debian.tar.xz
 51022824ee7e2168dd93eed8e176f75b 5987 database optional pgpool2_4.1.4-3+deb11u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmjxTF8ACgkQADoaLapB
CF8Ueg/7BoGG82BeSbYd4D7vjrgZoQtt1oMMpEMFwbX92Xl4mSfGdTSSk1sGYg1Q
o12ZdwIZ0qZ5zU8H74ZvNoflAv5SAGHQKXl4KuaVmYJRD/1oZ4fznKNFgGXH+XQO
EL9EDGS4yI3yR9JSwWcapwoGrgQRs5lRmxRpXWznvomOGel7Ks7lPczwGJNFb9rX
FqxJrMPr6r40T8q4fvT0sEi897ujqt4Ug+tAWPX9FfU4v+zdHwVN62r3auxk9Z0i
Jx1tSGYczU22aJQOsfRiTrd6zhaNiy9QDJAZa5eRF7JroYxkqPUs7Q1NSpkMsfxe
i+jVN1BKCkh3lLEQI5xs0/Ka4EHyiUf4C050MvxDQY1/Rm8TLJouuSI+ETlUCIpe
Ft02B/PRzzDilBpIFQQ+MqJZ6+iAcE3EFsYcbuQrTN7gxHPzkXQILchaVionTJwq
0hnqfVH6dz6bP4Mr7F5/nofXEtDMCsWkS1dFsu4GfPAZqpw+LuZZwhwlcAg87XnK
m3IC7VOFKoxjzlacISu46zz+KV4SGCwM0s5o6/xHmKUIwqEKhWU72DUNfWs2o/3N
1FPyjUlrKFlHMzqDWHh8T/KRq0Iv7yU1+ldCDyUxsGTpoSSx5Ky3b1d/DjP3m++n
x2luCIRgD9D49XCpo6ZLebnBGK80ia6NlNiDCBt/KLFzGxbshRU=
=63L3
-----END PGP SIGNATURE-----
News for package pgpool2
