[SECURITY] [DLA 3993-1] pgpool2 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3993-1] pgpool2 security update
From: Abhijith PA <abhijith@debian.org>
Date: Fri, 13 Dec 2024 09:00:00 +0530
Message-id: <[🔎] Z1uqOIwIIN6FV9si@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3993-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
December 12, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : pgpool2
Version        : 4.1.4-3+deb11u1
CVE ID         : CVE-2023-22332 CVE-2024-45624

Two vulnerabilities were discovered in pgpool2, a connection pool
server and replication proxy for PostgreSQL.

CVE-2023-22332

    A specific database user's authentication information may be
    obtained by another database user. As a result, the information
    stored in the database may be altered and/or database may be
    suspended by a remote attacker who successfully logged in the
    product with the obtained credentials.
    
CVE-2024-45624

    When the query cache feature is enabled, it was possible that a
    database user can read rows from tables that should not be visible
    for the user through query cache.
    
For Debian 11 bullseye, these problems have been fixed in version
4.1.4-3+deb11u1.

We recommend that you upgrade your pgpool2 packages.

For the detailed security status of pgpool2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pgpool2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmdbqjcACgkQhj1N8u2c
KO92Aw//enNrRau86qHZKR1rFSVbQhy9EBckpcKSjgaZkI9oDYUb3oLMlqZSMMk0
qxBj3luJe0oC1BO8XBWdGi9RffdxrzCZdicmuo+l/gVQims3Zv5PUlETyZfxvBU3
UvvY1tBRL3tGpbxSkMWS1Bt9Q3qE/kXD0iIQvg2LPSBhpNTpeskOUUvXeJjpONi4
PzILPc8021X+5QnRd2MWARYl2vGQHrb1Y/soN2ATY6DiPdI4NfzNHzIijD+mnAUS
goWnvuY8z9t817+59rUKz3AqLBvGaaVP9L3IygYdonx84ifoLAotB2wiYrE6Vv0q
iAMNxt/9MkAOJHVYVfWHRRdC7KRYuKBIgf4vgUtOChc2DJtkZ/+DpH35VF3DEROW
fVRS5o0v8xGAI76lO2w16lumptDHYo7TpefG8EtcbqC1WJwRVjawGvrz5rYF+B+V
dAEq/BOp6maXxJ/2ZKl36ULjyWs6Uri9UMXYH0FBm5vEl5tBG7OL/FQAUvOpF508
7HJ2+BqeQ6ztqoWD/B84+N1r/pa6ggQQ0Ama2vGaQ4AQyZACzvQ6fzYEsXQAxAnj
bAUL19SNBDdqoHdeAtCG5ak2ZXA3WDv/YiRlrTo3l2//BS6E7zX/nASTvlvnDAdX
BoxBSY0VvQ9fl6FMDS/XNKt6/cYrgkNpFCCGcIPQ4kg4rBmBmdQ=
=SKE/
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3992-1] libsoup2.4 security update
Next by Date: [SECURITY] [DLA 3994-1] gstreamer1.0 security update
Previous by thread: [SECURITY] [DLA 3992-1] libsoup2.4 security update
Next by thread: [SECURITY] [DLA 3994-1] gstreamer1.0 security update
Index(es):
- Date
- Thread