Your message dated Thu, 17 Apr 2025 08:49:52 +0000
with message-id <[email protected]>
and subject line Bug#1103394: fixed in pgbouncer 1.24.1-1
has caused the Debian Bug report #1103394,
regarding pgbouncer: CVE-2025-2291
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1103394: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103394
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pgbouncer
Version: 1.24.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for pgbouncer.
CVE-2025-2291[0]:
| Password can be used past expiry in PgBouncer due to auth_query not
| taking into account Postgres its VALID UNTIL value, which allows an
| attacker to log in with an already expired password
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-2291
https://www.cve.org/CVERecord?id=CVE-2025-2291
[1]
https://github.com/pgbouncer/pgbouncer/commit/9912ee7f1af2e1b81d4d624a0da1cb49075ee78a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pgbouncer
Source-Version: 1.24.1-1
Done: Christoph Berg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pgbouncer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <[email protected]> (supplier of updated pgbouncer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Apr 2025 10:21:09 +0200
Source: pgbouncer
Architecture: source
Version: 1.24.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <[email protected]>
Changed-By: Christoph Berg <[email protected]>
Closes: 1103394
Changes:
pgbouncer (1.24.1-1) unstable; urgency=medium
.
[ Christoph Berg ]
* B-D on libsystemd-dev on Linux only.
.
[ Bradford D. Boyle ]
* New upstream version 1.24.1.
- Security
* Fix CVE-2025-2291: Account for VALID UNTIL in auth_query.
(Closes: #1103394)
- Fixes
* Fix PAM support by reverting pam authentication support in HBA file.
* Fix bug when decrementing user connection count. This was included in
the tag of 1.24.0 on GitHub, but the release tarball did not contain
this fix.
* Add test_load_balance_hosts.py to the tarball.
* Fix issues with tests to allow them to be run by Debian packagers.
- Docs
* Update auth_query example to set a safe search_path.
Checksums-Sha1:
24253d2b3f8c4029efbf78e783be623eff1afea5 2504 pgbouncer_1.24.1-1.dsc
e25d554d38c3dbacbfc33cc2f2e3c8faef06634f 717796 pgbouncer_1.24.1.orig.tar.gz
d292d08418d4079f385db0e4bbbfb1333e552eb4 11460 pgbouncer_1.24.1-1.debian.tar.xz
Checksums-Sha256:
0a0b923ad01462e52253ba9f79d8f9954f7d9d9f66fe30d18ec5781a0fda7dfe 2504
pgbouncer_1.24.1-1.dsc
da72a3aba13072876d055a3e58dd4aba4a5de4ed6148e73033185245598fd3e0 717796
pgbouncer_1.24.1.orig.tar.gz
b105e8ba570b8c1edee4ff333bb4565abff94b8c8ddae68f05f320a866c55e61 11460
pgbouncer_1.24.1-1.debian.tar.xz
Files:
9949912e530d022b597836c5dd65eda7 2504 database optional pgbouncer_1.24.1-1.dsc
434cbb2db9034d358dddf525e0e5a3dd 717796 database optional
pgbouncer_1.24.1.orig.tar.gz
d27208af69dc492b3e238d508ca4956f 11460 database optional
pgbouncer_1.24.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmgAvVMACgkQTFprqxLS
p65MtBAAj0HIFg3v+Bs2abu2gLmELGXJaKoJAqo/zBPptmz99HtJSFNbsP7gvfPU
a+apJ10WLOoXFartGiMQxUoKQ1hdwwbAIC1aU3Cg0lmMDnDI+dhDCzQe0oFHLyH6
NFMmhFNlwGg1aPN+zJpWtWvmU4M31djbnnbAp4Ec8HNF7EndT/OdfUQTAl5JHgia
qLrrrRX9KKgHPgYuJQJ/dxOdkPxWZFFRql5TndET0LEF0Syyj1n44rp9PegKRn8T
ysqLtPv1LYETdW3tmexCfiv2jQgCFehAK4X0hiUlLZss+ALeALdhf6cBmbLJEABk
ACXenVyCjmlAshrV0czkZO+LulKd4qmbU9cc0yAzMzy79KY9PL6ZMUh3+2GTeUyL
gYZ6+mZOhXe4N4y6f62fLjQPNZSTbtmO8VAA5OkxmxBOI4AlBmGndZ061P06idpj
gDeStB3KejlC5jt67zBpMMntIpKWCG4uKT7DvWvXHvCk6fR0nrxY0YLiUQ8tBORQ
hsX8rb3jiMmjtShjAZFLzdcyuHosYTFeqSjZ5BFXPtFsTQcGCJoQiV/9qoh9zhEx
rqbPQObNiLlA9BnLJx+liYlYMHes4k7y4A2i+RcOxTqS4islpwS1vVdEhGNZZx7x
PfwHjVoL2UH+ouPQ9XIJoJ4nu1h+6qsL6SKTpQiw+jq+BsOrsRU=
=KnQK
-----END PGP SIGNATURE-----
pgpwilBHUvZGh.pgp
Description: PGP signature
--- End Message ---
