CVE-2025-2291:
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
CVE-2025-2291:
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
1 issue postponed or untriaged:
CVE-2021-3935:
(needs triaging)
When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.
CVE-2025-2291:
Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password
Among the 1 debian patch
available in version 1.24.1-1 of the package,
we noticed the following issues:
1 patch
where the metadata indicates that the patch has not yet been forwarded
upstream. You should either forward the patch upstream or update the
metadata to document its real status.
Standards version of the package is outdated.
wishlist
The package should be updated to follow the last version of Debian Policy
(Standards-Version 4.7.2 instead of
4.5.0).
Migration status for pgbouncer (1.24.0-3 to 1.24.1-1): Waiting for test results or another package, or too young (no action required now - check later)
![[bug history graph]](https://qa.debian.org/data/bts/graphs/p/pgbouncer.png){kind=link}