-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Dec 2025 12:57:12 +0100
Source: pgbouncer
Binary: pgbouncer pgbouncer-dbgsym
Architecture: armhf
Version: 1.18.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: arm Build Daemon (arm-ubc-06) <buildd_arm64-arm-ubc-06@buildd.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description:
 pgbouncer  - lightweight connection pooler for PostgreSQL
Closes: 1103394
Changes:
 pgbouncer (1.18.0-1+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2025-2291: expired password can be used.
     Password can be used past expiry in PgBouncer due to auth_query not
     taking into account Postgres its VALID UNTIL value, which allows an
     attacker to log in with an already expired password (Closes: #1103394)
   * CVE-2025-12819: execute arbitrary SQL during authentication.
     Untrusted search path in auth_query connection handler in PgBouncer
     before 1.25.1 allows an unauthenticated attacker to execute arbitrary
     SQL during authentication via a malicious search_path parameter in the
     StartupMessage.
Checksums-Sha1:
 d940202f7fd400ffbacde94b42f33be362be7e9d 489532 pgbouncer-dbgsym_1.18.0-1+deb12u1_armhf.deb
 09e6f8e703b11e942ef24dc951ec3649f0afa899 8266 pgbouncer_1.18.0-1+deb12u1_armhf-buildd.buildinfo
 ade384c77ab1213ddf29d903e99080c8ede3eaf5 190500 pgbouncer_1.18.0-1+deb12u1_armhf.deb
Checksums-Sha256:
 8e158f3aecf8d26efe4d835a573cf93bc12a454f45bee11e0d4f5c6354329bb5 489532 pgbouncer-dbgsym_1.18.0-1+deb12u1_armhf.deb
 45f305f95d6e5a546bb60f1769e6c19267cccd6b4862e92b8ca05db9556d1ae3 8266 pgbouncer_1.18.0-1+deb12u1_armhf-buildd.buildinfo
 967de47c11838585bc7645119eb55a378ff1a75a890a04ff18e5ef5f66c70822 190500 pgbouncer_1.18.0-1+deb12u1_armhf.deb
Files:
 55915cd31621d5a5d5a41d38767669ca 489532 debug optional pgbouncer-dbgsym_1.18.0-1+deb12u1_armhf.deb
 bd4906d1c63b0d4e61e6be7f9526ec41 8266 database optional pgbouncer_1.18.0-1+deb12u1_armhf-buildd.buildinfo
 a88b7aa915e0b8331ea869d6a2f8d0f4 190500 database optional pgbouncer_1.18.0-1+deb12u1_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpxWVfktWxVoKRwGgJ7tNDw2WyRsFAmlW8l0ACgkQJ7tNDw2W
yRtG1RAArPmjPsuqcbcHsPnKTHc9ONkZEXUHQmotIQ0+VdBYg/Rb5jIoBmSfQh67
ZbZuZomoYnd9l0eTC6N2FIGtmk5VTiD29syR+Pv6Wy9LKqWZGRSMV5+XNVIuVBQG
VTFZSDp5HdXff8PBnV3vnrJjCcoNLeURS3h6fezGc5YrRoyvp4aWnFUXawsKssCi
s61wANWy14tCycwG8CTPCtmTNXwUdSOOYCLAwRdKSU1b6Zebd4b35csPSkcRqkEq
VsQtC+5ucHtskj3+JULAcGBh4ttiIiJ0rvpiE19xq57GydEwTyR8d8lbNCqnxqfI
8uuzeV+FBJOn5Imf2kWxkXmzWMImp+pAcUamu+++zThvlsiWpVyWGK6sgKY7oeLx
//BfIJ2j59UW7K8Z7c/S2TP5vp1WXxfnXl2Q0nKwK4RFCbosJA6Md+wxIXTvyBP2
gGFTGu2W46/a+FrihOkhOBasfYjdWf9omrROgqa45qtzLIk5kq45lOj61ejh1XSk
qxB6W4f9CKLRdh0wjeGCk7Rp2ZSxNuqIKM1Vrk1skygubzXNnp1yDUfTogvMT8NT
kCmm7QmFDT8KJ4vK7c8j8R5HleG2zcGVTP59AR0sUGGgEurnmrLRFlII44FTrGUi
URXC+Wgz3jlzlHLITRspC3CCjrKGzwz7lGDqmoxc0CtIDygoAYk=
=kgZi
-----END PGP SIGNATURE-----