Debian Patches
Status for pgbouncer/1.24.1-1+deb13u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian-config | no | |||||
| CVE-2025-12819.patch | [PATCH] Harden auth_query connection setup (fixes CVE-2025-12819) We were sending `SET` commands based on an unauthenticated StartupMessage over the connection used to run an `auth_query` on the Postgres server. In default configurations this doesn't have any clear security implications, because the only settings that an attacker can send are the `DateStyle`, `client_encoding`, `TimeZone`, `standard_conforming_strings`, `application_name` and `IntervalStyle`. For the default `auth_query` those shouldn't matter. For users that configured some special security sensitive GUC in `track_extra_parameters` like `search_path` this does pose a security problem though. |
Jelte Fennema-Nio <postgres@jeltef.nl> | no | 2025-11-05 |
All known versions for source package 'pgbouncer'
- 1.25.1-1 (forky, sid)
- 1.24.1-1+deb13u1 (trixie)
- 1.18.0-1+deb12u1 (bookworm)