-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 Dec 2025 12:57:12 +0100 Source: pgbouncer Architecture: source Version: 1.18.0-1+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Andreas Henriksson Closes: 1103394 Changes: pgbouncer (1.18.0-1+deb12u1) bookworm; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2025-2291: expired password can be used. Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password (Closes: #1103394) * CVE-2025-12819: execute arbitrary SQL during authentication. Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. Checksums-Sha1: ef108878fba021e3aa7294051284c751a8e80a73 2261 pgbouncer_1.18.0-1+deb12u1.dsc da103ebf8f0f6ef588baece2850782c8c7d3940a 600825 pgbouncer_1.18.0.orig.tar.gz 85d244658679a5bd2a8a0c154805e316b2c3ac5e 14268 pgbouncer_1.18.0-1+deb12u1.debian.tar.xz 6ec06b68b161162e083779a52729d12e1b02f594 7124 pgbouncer_1.18.0-1+deb12u1_source.buildinfo Checksums-Sha256: 9d078d041033672af396bd66031c4ac0dd53c2361d24b4ef6a90dc4ae123c83c 2261 pgbouncer_1.18.0-1+deb12u1.dsc 9349c9e59f6f88156354f4f6af27cdb014a235b00ae184cbaa37688bd0df544c 600825 pgbouncer_1.18.0.orig.tar.gz 6b0abb70305bed4fc9a04f645d211d3dd9bcb30bd9f04e85d3662acfdc28093c 14268 pgbouncer_1.18.0-1+deb12u1.debian.tar.xz b70c80609b15e0872cacd52dd52c7844380cb2e2a9d995090e002288cbcc7e15 7124 pgbouncer_1.18.0-1+deb12u1_source.buildinfo Files: dedea389a43acd3c3016e913a2438f0b 2261 database optional pgbouncer_1.18.0-1+deb12u1.dsc f75e8deb920b26e23f496fcff379f942 600825 database optional pgbouncer_1.18.0.orig.tar.gz 6ebbbb2afdee72c847b8f39326817880 14268 database optional pgbouncer_1.18.0-1+deb12u1.debian.tar.xz 245ad13f7d4bf64c37bdb8dfc083d769 7124 database optional pgbouncer_1.18.0-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmlWr9sACgkQC8R9xk0T UwbsJA//Ugc+7W0ujeVVohuvKdYDJdP01o8WXu5/0JqMJr6y0X6j/PzOUpYzAVx2 wDGemTf/20KN3LJXl+pcCqLPZmM1ogbBNd7XJV6qxwotwa0ttfbO12euqj/dqPdo eWvJxy55redD6rcKUlUGHG67do+BZBKoaFpUutupmTQGTOG1vxaNDXuV0ilFzsJg 2bZ6MMhRZaT6pEqmhTksIIKWGFPTlLvfL4L3QBnkzfemXcwXBh2MfUcfjaoKYZ+A cwvOZrBii8JmxpMChAba1F7suesSV7HXSNY0+R/kzY5cGX4g/74Jkt6m140C7WNa meigCGt/IQnIbgac9xCXaWgSDl34t4gKg1kW9tvc1JBMUoXKOk7hYKxl6hakXluK i0i+oYBLJRGdjdF0E9NIngUAYgyJFJ73fipoDa4ChMcOh5dP+zAMmsOXx45QW6NM 3GVIX+vG9lmAx+2+BsHJ9b5No2eSbO9VhevduEHJ5NmwyFcjJQ9a0q9ban/zLq84 kJVaBAGOjhwj1Xw1DFXYXqiEKVy+/nMmWljsb5cIqMvVHN2hVuxDbM2wYQ9//Deo XvqgJFQr1jPL9rAkcPuHY0eIOXMyhbGXifrr+nyLaEFLghchWIEHa6Var7D+T+93 Bl55zTkFp1pq6R90RoofbZXMaqnkjAOjp4vl3rfqt+LvOfjwBdE= =TchD -----END PGP SIGNATURE-----