-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Dec 2025 12:57:12 +0100
Source: pgbouncer
Binary: pgbouncer pgbouncer-dbgsym
Architecture: amd64
Version: 1.18.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description:
 pgbouncer  - lightweight connection pooler for PostgreSQL
Closes: 1103394
Changes:
 pgbouncer (1.18.0-1+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2025-2291: expired password can be used.
     Password can be used past expiry in PgBouncer due to auth_query not
     taking into account Postgres its VALID UNTIL value, which allows an
     attacker to log in with an already expired password (Closes: #1103394)
   * CVE-2025-12819: execute arbitrary SQL during authentication.
     Untrusted search path in auth_query connection handler in PgBouncer
     before 1.25.1 allows an unauthenticated attacker to execute arbitrary
     SQL during authentication via a malicious search_path parameter in the
     StartupMessage.
Checksums-Sha1:
 cb00dbf436b6efa6af9f580d11d457f0b7c2c08b 492528 pgbouncer-dbgsym_1.18.0-1+deb12u1_amd64.deb
 be50428cf6636423619ad8f95f99cbd4d389e20e 8423 pgbouncer_1.18.0-1+deb12u1_amd64-buildd.buildinfo
 d1d89a155d109858baf1de69340016ca316773bb 208108 pgbouncer_1.18.0-1+deb12u1_amd64.deb
Checksums-Sha256:
 b8fde8b88cce3c141ba1593dffde88b362c9d04e7605bc244105f28e94d25e61 492528 pgbouncer-dbgsym_1.18.0-1+deb12u1_amd64.deb
 d4c57a10bd09efbdc60c4a2045f0ae176eda6078d127806744eeda585898fec1 8423 pgbouncer_1.18.0-1+deb12u1_amd64-buildd.buildinfo
 b8468c31f94596da0967b1a27980a0a036268eb8e53d3e647651bd7b82b6f65e 208108 pgbouncer_1.18.0-1+deb12u1_amd64.deb
Files:
 bb8530489b531a580a55c15ce1dc3c9a 492528 debug optional pgbouncer-dbgsym_1.18.0-1+deb12u1_amd64.deb
 053324a9117829727a3d33e362b209e2 8423 database optional pgbouncer_1.18.0-1+deb12u1_amd64-buildd.buildinfo
 b296be2b843645b9c9b52be053456738 208108 database optional pgbouncer_1.18.0-1+deb12u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnw0rdzqckKx6dwRTEbCLukZn24oFAmlW8icACgkQEbCLukZn
24r6yQ//WWyzlYYp6VpUm8y5CsvQwoT1pcfml0EoleXp33A59pxqPCVPdOHaKi6S
VNfM82ePwdzs10Jrd4uV4itt4/iZXxIJ2SpgQ+Bp5zlgaqwq7pQ6cjmBHSJK+Ndp
mwJOY+RN/ay2qtT8Ev/rmWFTdgnnQQ6VD3CcRf93yYITVmFkVq/6rK4d7HM5UR35
zFQpQ1Bi6/aOckgHqwsHFUio2OHpkwPClWhQxXskKVYcIzjepuIuK4fI+ke/zbEg
1e9/9HErju1BtSIlDyFZUnUin0LhRsFevPm4XBhp4u4/GtCqOpkbJgU+PbZNjpwr
ii1VAjqpfZ4lvU7WQnQ8lnRx5n6hs9cmNiMGzJTBs87zxcEXvwFuzkZYE0A3RA0T
jdobSGW/8LtJRITe//vyraSTLx7xYSL2m7o7YLPdbieQvEmILIa+68MtCtSvN8b3
HS4vUK7JJKEeqNCnKXSc9hARu4FLZzcVygPMd2ljrZCtth0MX2+4H3578u2JjTtj
dmRC5FTnwPmsTSh+x/Xl765K98n9H06pII52p2xKBoekftcdcBw8hO/f8KIkfO5z
y7W76EiTGgyilfU4a91JWeWm55TAqzTXwelvGS9A/K2tWoH09QbQ/B4bGlrVc7ZX
DZETbFVRMhYrLvm0NuCqo7HAES9FbI+lN8BaP9iGGk74J7E56sc=
=Y+dz
-----END PGP SIGNATURE-----