-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 Dec 2025 12:57:12 +0100 Source: pgbouncer Binary: pgbouncer pgbouncer-dbgsym Architecture: mips64el Version: 1.18.0-1+deb12u1 Distribution: bookworm Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-05) Changed-By: Andreas Henriksson Description: pgbouncer - lightweight connection pooler for PostgreSQL Closes: 1103394 Changes: pgbouncer (1.18.0-1+deb12u1) bookworm; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2025-2291: expired password can be used. Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password (Closes: #1103394) * CVE-2025-12819: execute arbitrary SQL during authentication. Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. Checksums-Sha1: 61d2536bee824b0bd8d6af2e27ec9b94f72bfec9 512020 pgbouncer-dbgsym_1.18.0-1+deb12u1_mips64el.deb 2c595d9f8458e0f950c0c4ea0be3f1b890d89e8c 8227 pgbouncer_1.18.0-1+deb12u1_mips64el-buildd.buildinfo 8c62655082883f88bc487456516178fbd2205938 204116 pgbouncer_1.18.0-1+deb12u1_mips64el.deb Checksums-Sha256: 77c06be98cd8bc60288c23eed6273bc733f4ae9bb3cf7136f53f59a6e95228a6 512020 pgbouncer-dbgsym_1.18.0-1+deb12u1_mips64el.deb 992ba49b55af6b9975f55dcb0be9c20eaeade2712e501a9be5fdae3cfe988da7 8227 pgbouncer_1.18.0-1+deb12u1_mips64el-buildd.buildinfo ff240bfdc993fbca5e71ee93daf25c1509f51d792d4e175300f420c0877e39c3 204116 pgbouncer_1.18.0-1+deb12u1_mips64el.deb Files: 4a6ec759cce8a97b163a61e0b5c8fcaa 512020 debug optional pgbouncer-dbgsym_1.18.0-1+deb12u1_mips64el.deb 01a4658b0cde2d57628b9e67f2ff63e5 8227 database optional pgbouncer_1.18.0-1+deb12u1_mips64el-buildd.buildinfo cc39e2efad3c7a190d5ebd496add2f84 204116 database optional pgbouncer_1.18.0-1+deb12u1_mips64el.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEYLhEzFkGpb3yYRVHmlVdU6AM9BUFAmlW880ACgkQmlVdU6AM 9BUqSg/+P8xOGjKdlf1rDvEeWpIWpM5527JhCNooKz0oV1Hh90jB/CJCqPUpEZsY YKUdgHBJqRI2k8FZWu735fQj/OgaYbquMLHfDrmmPbdX/q2pBNzABA5jxCX6oYfQ r4Mf9McEN7z13sMwLF5yfv7zR/XJl6kjDcRlAr8srdJTWNak8yPPDV8pR+fcQxD5 WxTIdVnxyT6tv0/NJ12nNaOMUjq/8igMa7OcZ858ubhmkQBguw7aQsydiJON8O6j h7ikh+uJtEqeYQh/K7RwO9HhC8uiDiwqHcJrU5llSpESnmvGuWvfPFVcwymsMvge vvbsEWk/cpEsN9UacJU3O4p466sywrFvFBWdA85l8UjO3todjd6KMwAr9C3awsMd jRn6zRjkkfTgewSi5MTcAOelwKKr1Hd0QOJauV66wjx3qE6s1rkCLUNUzr52YNZ6 7tlLabFikX9lIdbwp/atzRwrrQRK0VwD+LSXh78elKHyEG7atiDYRpcEIj736Bk9 GLVs2bKAYvx/cS/alAcrWPpVGhfBTWD7MgPzn1bX4O2Ye/gYurUcA3SjDfqboOUm Iis+ykcTkFLqiKXJ5DxDlRz1p53PGapQck/u8USh07QcXNSMd3Of+kK6eMyd+a2N r8sesBh9MLWEKo0QWSOjoo4TUSXU/t1CcCIUvTelrFsSGE7kYMg= =KoHl -----END PGP SIGNATURE-----