Debian Patches
Status for pgbouncer/1.24.1-1+deb13u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| debian-config | no | |||||
| CVE-2025-12819.patch | Harden auth_query connection setup (fixes CVE-2025-12819) We were sending `SET` commands based on an unauthenticated StartupMessage over the connection used to run an `auth_query` on the Postgres server. In default configurations this doesn't have any clear security implications, because the only settings that an attacker can send are the `DateStyle`, `client_encoding`, `TimeZone`, `standard_conforming_strings`, `application_name` and `IntervalStyle`. For the default `auth_query` those shouldn't matter. For users that configured some special security sensitive GUC in `track_extra_parameters` like `search_path` this does pose a security problem though. |
Jelte Fennema-Nio <postgres@jeltef.nl> | no | 2025-11-05 | ||
| CVE-2026-6664-Fix-integer-overflow-in-mbuf.h.patch | [PATCH 1/4] Fix integer overflow in mbuf.h An integer overflow in mbuf_get_bytes() bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. Report and fix by @JohannesLks. |
Euler Taveira <euler@eulerto.com> | no | 2026-04-14 | ||
| CVE-2026-6665-Fix-buffer-overflow-in-SCRAM.patch | [PATCH 2/4] Fix buffer overflow in SCRAM The SCRAM code did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. Reported by @HarutoKimura. |
Euler Taveira <euler@eulerto.com> | no | 2026-04-15 | ||
| CVE-2026-6666-Avoid-crash-in-kill_pool_logins_server_error.patch | [PATCH 3/4] Avoid crash in kill_pool_logins_server_error Prevent a null pointer deference crash while comparing SQLSTATE error code. It also checks msg and level before using them in log_warning. A malicious backend could send a mal-formed ErrorResponse that does not include an SQLSTATE error code. Reported by @HarutoKimura. |
Euler Taveira <euler@eulerto.com> | no | 2026-04-27 | ||
| CVE-2026-6667-KILL_CLIENT-requires-admin-access.patch | [PATCH 4/4] KILL_CLIENT requires admin access The commit 1dbde96 that added the KILL_CLIENT command forgot to check the privileges to execute it. As KILL, KILL_CLIENT should only be executed by users listed in the admin_users parameter. Report and fix by @HarutoKimura. |
Euler Taveira <euler@eulerto.com> | no | 2026-04-28 |
All known versions for source package 'pgbouncer'
- 1.25.2-1 (sid, forky)
- 1.24.1-1+deb13u2 (trixie)
- 1.18.0-1+deb12u1 (bookworm)