Debian Patches
Status for pgbouncer/1.18.0-1+deb12u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian-config | =================================================================== | no | ||||
| CVE-2025-2291.patch | [PATCH] Account for VALID UNTIL in auth_query (fixes CVE-2025-2291) Previously PgBouncer did not take into account the VALID UNTIL of a user password when querying for password hashes using its auth_query. So if PgBouncer is used as a transparent proxy in front of Postgres it could allow passwords that had already expired. To solve this issue this changes the default auth_query and the examples of custom auth_query functions in the documentation to take VALID UNTIL into account. Since this can be considered a security issue in setups where VALID UNTIL is used to limit exposure of leaked passwords, this is tracked as CVE-2025-2291. |
Jelte Fennema-Nio <github-tech@jeltef.nl> | no | 2025-02-05 | ||
| CVE-2025-12819.patch | [PATCH] Harden auth_query connection setup (fixes CVE-2025-12819) We were sending `SET` commands based on an unauthenticated StartupMessage over the connection used to run an `auth_query` on the Postgres server. In default configurations this doesn't have any clear security implications, because the only settings that an attacker can send are the `DateStyle`, `client_encoding`, `TimeZone`, `standard_conforming_strings`, `application_name` and `IntervalStyle`. For the default `auth_query` those shouldn't matter. For users that configured some special security sensitive GUC in `track_extra_parameters` like `search_path` this does pose a security problem though. |
Jelte Fennema-Nio <postgres@jeltef.nl> | no | 2025-11-05 |
All known versions for source package 'pgbouncer'
- 1.25.1-1 (forky, sid)
- 1.24.1-1+deb13u1 (trixie)
- 1.18.0-1+deb12u1 (bookworm)