Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted pgbouncer 1.25.2-1 (source) into unstable
Date: Sat, 09 May 2026 17:41:57 +0000
Signed by: Christoph Berg <myon@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 May 2026 14:09:02 +0200
Source: pgbouncer
Architecture: source
Version: 1.25.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Changes:
 pgbouncer (1.25.2-1) unstable; urgency=medium
 .
   [ Bradford D. Boyle ]
   * New upstream version 1.25.2.
     - Security
       * Fix CVE-2026-6664: An integer overflow in network packet parsing code
         in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a
         crash. An unauthenticated remote attacker can crash PgBouncer with a
         malformed SCRAM authentication packet.
       * Fix CVE-2026-6665: The SCRAM code in PgBouncer before 1.25.2 did not
         check the return value of strlcat() correctly when building the
         contents of the SCRAM client-final-message. A malicious backend that
         sends a SCRAM server-final-message with a long nonce can trigger a
         stack overflow.
       * Fix CVE-2026-6666: A possible null pointer reference in PgBouncer
         before 1.25.2 could lead to a crash, if a server sends an error
         response without SQLSTATE field.
       * Fix CVE-2026-6667: PgBouncer before 1.25.2 did not perform an
         appropriate authorization check for the KILL_CLIENT admin command. All
         users with access to the administration console (which itself requires
         authorization) could run this command. It would have been correct to
         allow only users listed in the admin_users parameter.
     - Fixes
       * Clarify documentation of default_pool_size parameter.
       * Correct documentation regarding client_tls13_ciphers and
         server_tls13_ciphers.
Checksums-Sha1:
 0926a15180ff99bb08099eb6a0983f0acd3126c9 2597 pgbouncer_1.25.2-1.dsc
 ed5f35dff0930bb67baf5d71e98cd19d377aea61 865371 pgbouncer_1.25.2.orig.tar.gz
 8abb622d7e978837bb8c734e49c95648ad7d6475 12668 pgbouncer_1.25.2-1.debian.tar.xz
Checksums-Sha256:
 8771d2b6aa50ecbd0284ddff6db832c0287c13566eb838f59c830f533f3e302e 2597 pgbouncer_1.25.2-1.dsc
 924ad35113fd0a71c8e2dbe85b5d03445532e2b7b37a9f8a48983beea238b332 865371 pgbouncer_1.25.2.orig.tar.gz
 ecb4c61c25ba1ca2ce12bf2fb95d8507f68f0d4df138428033225f9ed2033af7 12668 pgbouncer_1.25.2-1.debian.tar.xz
Files:
 ba04ac7f5fb890941e4f5443cf3cb711 2597 database optional pgbouncer_1.25.2-1.dsc
 9689b5ec4a60c25dc7791962b2863ca6 865371 database optional pgbouncer_1.25.2.orig.tar.gz
 c60a2f76bbc2344ee3081d09b2a45f33 12668 database optional pgbouncer_1.25.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmn/MeEACgkQTFprqxLS
p649nw//Up2Ftem3Hn1hMYDS6EXuoRIM6bqm5aqpxa9A440hiTeUlZbdDDMjA0KA
bimVL5MB3wbj0jlucz+N4RKDTzUPhLjRIzan0brHLOBNZ6lNnbLxUKECut/B85pC
Mw6MYAtahVNZUNwURXhFZFNos9uzk4NiwOgpUaEG8WCkOCvVhc/mqgGLA1LtOM0Y
VWLxUq8SWIL6gwR8uGE5eepaDfADVzm6acAodw69uqpM2Qlx4ypoFEWij/r2iO7y
qtz8fBP+bx9mFXCGjGPNp6FMXbcwc3AdtnHSG/jwvMJxUU8BGp1rvQyzYSOHgKYZ
nzCZslkkPn2FDkg8jodgTZqAr7gZfKzzGfc4+u7zq7TGMrUy3zAGLfVx9Prh+eVB
CqM7J71tMSZYAilO2dQ2ncbzcAEpykCtsZYhAE0EA/2w9CjoJwJVm2fK6ayCC9sH
g9Ya0gI4WRtSZf449k4C6rIUkmLp92SnqJoSTc71zCVlJlGIlNjJkpTe9eUaWtq1
Du8cw6iSTNLKQOtYp8wFRuRyi3HP8dZQ7RK8Dg7u8Hial1ThS51glDKfYrJsqdo5
rQ9iGzYY/uH0y6XhKmOxt3nAWZ0o0/t22fEbuXx57WLJFjhMv62j6r2zC7cFg7/c
pfvij6ro24/kStRto9QPOy23Z/cjPru5NQ17ryzvk2z+h2t65hc=
=QFnP
-----END PGP SIGNATURE-----
News for package pgbouncer
