Accepted pgbouncer 1.18.0-1+deb12u1 (source) into oldstable-proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted pgbouncer 1.18.0-1+deb12u1 (source) into oldstable-proposed-updates
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 01 Jan 2026 22:02:33 +0000
Message-id: <[🔎] E1vbQkb-0000000Cqay-1hpt@fasolo.debian.org>
Mail-followup-to: debian-devel@lists.debian.org
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Dec 2025 12:57:12 +0100
Source: pgbouncer
Architecture: source
Version: 1.18.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Closes: 1103394
Changes:
 pgbouncer (1.18.0-1+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2025-2291: expired password can be used.
     Password can be used past expiry in PgBouncer due to auth_query not
     taking into account Postgres its VALID UNTIL value, which allows an
     attacker to log in with an already expired password (Closes: #1103394)
   * CVE-2025-12819: execute arbitrary SQL during authentication.
     Untrusted search path in auth_query connection handler in PgBouncer
     before 1.25.1 allows an unauthenticated attacker to execute arbitrary
     SQL during authentication via a malicious search_path parameter in the
     StartupMessage.
Checksums-Sha1:
 ef108878fba021e3aa7294051284c751a8e80a73 2261 pgbouncer_1.18.0-1+deb12u1.dsc
 da103ebf8f0f6ef588baece2850782c8c7d3940a 600825 pgbouncer_1.18.0.orig.tar.gz
 85d244658679a5bd2a8a0c154805e316b2c3ac5e 14268 pgbouncer_1.18.0-1+deb12u1.debian.tar.xz
 6ec06b68b161162e083779a52729d12e1b02f594 7124 pgbouncer_1.18.0-1+deb12u1_source.buildinfo
Checksums-Sha256:
 9d078d041033672af396bd66031c4ac0dd53c2361d24b4ef6a90dc4ae123c83c 2261 pgbouncer_1.18.0-1+deb12u1.dsc
 9349c9e59f6f88156354f4f6af27cdb014a235b00ae184cbaa37688bd0df544c 600825 pgbouncer_1.18.0.orig.tar.gz
 6b0abb70305bed4fc9a04f645d211d3dd9bcb30bd9f04e85d3662acfdc28093c 14268 pgbouncer_1.18.0-1+deb12u1.debian.tar.xz
 b70c80609b15e0872cacd52dd52c7844380cb2e2a9d995090e002288cbcc7e15 7124 pgbouncer_1.18.0-1+deb12u1_source.buildinfo
Files:
 dedea389a43acd3c3016e913a2438f0b 2261 database optional pgbouncer_1.18.0-1+deb12u1.dsc
 f75e8deb920b26e23f496fcff379f942 600825 database optional pgbouncer_1.18.0.orig.tar.gz
 6ebbbb2afdee72c847b8f39326817880 14268 database optional pgbouncer_1.18.0-1+deb12u1.debian.tar.xz
 245ad13f7d4bf64c37bdb8dfc083d769 7124 database optional pgbouncer_1.18.0-1+deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmlWr9sACgkQC8R9xk0T
UwbsJA//Ugc+7W0ujeVVohuvKdYDJdP01o8WXu5/0JqMJr6y0X6j/PzOUpYzAVx2
wDGemTf/20KN3LJXl+pcCqLPZmM1ogbBNd7XJV6qxwotwa0ttfbO12euqj/dqPdo
eWvJxy55redD6rcKUlUGHG67do+BZBKoaFpUutupmTQGTOG1vxaNDXuV0ilFzsJg
2bZ6MMhRZaT6pEqmhTksIIKWGFPTlLvfL4L3QBnkzfemXcwXBh2MfUcfjaoKYZ+A
cwvOZrBii8JmxpMChAba1F7suesSV7HXSNY0+R/kzY5cGX4g/74Jkt6m140C7WNa
meigCGt/IQnIbgac9xCXaWgSDl34t4gKg1kW9tvc1JBMUoXKOk7hYKxl6hakXluK
i0i+oYBLJRGdjdF0E9NIngUAYgyJFJ73fipoDa4ChMcOh5dP+zAMmsOXx45QW6NM
3GVIX+vG9lmAx+2+BsHJ9b5No2eSbO9VhevduEHJ5NmwyFcjJQ9a0q9ban/zLq84
kJVaBAGOjhwj1Xw1DFXYXqiEKVy+/nMmWljsb5cIqMvVHN2hVuxDbM2wYQ9//Deo
XvqgJFQr1jPL9rAkcPuHY0eIOXMyhbGXifrr+nyLaEFLghchWIEHa6Var7D+T+93
Bl55zTkFp1pq6R90RoofbZXMaqnkjAOjp4vl3rfqt+LvOfjwBdE=
=TchD
-----END PGP SIGNATURE-----

Attachment: pgpEtjow1h0pU.pgp
Description: PGP signature

Reply to:

Prev by Date: Accepted composer 2.5.5-1+deb12u3 (source) into oldstable-proposed-updates
Next by Date: Accepted lxc 1:6.0.4-4+deb13u1 (source) into proposed-updates
Previous by thread: Accepted composer 2.5.5-1+deb12u3 (source) into oldstable-proposed-updates
Next by thread: Accepted lxc 1:6.0.4-4+deb13u1 (source) into proposed-updates
Index(es):
- Date
- Thread