-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 20 Dec 2025 12:57:12 +0100
Source: pgbouncer
Binary: pgbouncer pgbouncer-dbgsym
Architecture: i386
Version: 1.18.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: amd64 / i386 Build Daemon (x86-ubc-02) <buildd_amd64-x86-ubc-02@buildd.debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Description:
 pgbouncer  - lightweight connection pooler for PostgreSQL
Closes: 1103394
Changes:
 pgbouncer (1.18.0-1+deb12u1) bookworm; urgency=medium
 .
   * Non-maintainer upload by the LTS Security Team.
   * CVE-2025-2291: expired password can be used.
     Password can be used past expiry in PgBouncer due to auth_query not
     taking into account Postgres its VALID UNTIL value, which allows an
     attacker to log in with an already expired password (Closes: #1103394)
   * CVE-2025-12819: execute arbitrary SQL during authentication.
     Untrusted search path in auth_query connection handler in PgBouncer
     before 1.25.1 allows an unauthenticated attacker to execute arbitrary
     SQL during authentication via a malicious search_path parameter in the
     StartupMessage.
Checksums-Sha1:
 cb072e18df46c197c36e0fd3ecb5c43f1504ff12 456252 pgbouncer-dbgsym_1.18.0-1+deb12u1_i386.deb
 de3338d01e8d3948b41076e025f2ddd05a00b3d8 8347 pgbouncer_1.18.0-1+deb12u1_i386-buildd.buildinfo
 7f0c9a435d0ded1f8817e6309106bbecc53df152 222704 pgbouncer_1.18.0-1+deb12u1_i386.deb
Checksums-Sha256:
 e3fa77281567223bca1cb9467107c8984e7a9fc5416140deb920124524240204 456252 pgbouncer-dbgsym_1.18.0-1+deb12u1_i386.deb
 c78b5140e51a8e708246d980258a4a44135a364a6a51a7e4fd867c082e3f0685 8347 pgbouncer_1.18.0-1+deb12u1_i386-buildd.buildinfo
 bac0275430547300c7b8a1f83e91cc917ebaaa5ed18de28a114a74a9707036d8 222704 pgbouncer_1.18.0-1+deb12u1_i386.deb
Files:
 d1e5a1de6040d466e6fd25e8ec374396 456252 debug optional pgbouncer-dbgsym_1.18.0-1+deb12u1_i386.deb
 caa392817619fc5e9e8b397f06ecd247 8347 database optional pgbouncer_1.18.0-1+deb12u1_i386-buildd.buildinfo
 f2f616fcc39d1551cb4a4324df268610 222704 database optional pgbouncer_1.18.0-1+deb12u1_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEc5vuvf2HND40bnI+8IREj/cRiTMFAmlW8kUACgkQ8IREj/cR
iTPDxA//QQZNsMWYtky7nxFdXufomEJR6ZuYHK7du80vRgmuuXwfFAJb4RPHwNPG
yK2Heq9oEi/vm69IBRzlKkjwOVJPCqOl+/ZsV54wCnkXZJJXsEn8S5DgSa1+1Z95
H7navITjRWcy28VE699xWjCCk8y7lLo99pRVB3nKM1TiRNy/tBaj1XtAuiRLYb2+
Cr9poB3KPETBFACjwjR37R8UUlk848bS5EU2Db0RAgyJAiC/B2HN4YcaTumeOEMA
cEJORhx7KmXz3i3ZT6UR1a8t8J+EKimJjUQZIqooII6vCiFPGd87sTzXEXYBGpIr
cqtpJUDYgfZY59QKi71HF186BsycyAyjOymPQ36enED7tryEp6D94KL/uWuKBBsL
tGFUNiiBOGQhPcGn7D1LKP8HkgzdfS8gy30DTxdNM3Jw7cZMVqS9NgWCdLoRCu2l
wONQIr+gpzaMCOmQp833FSS79hGQ3tCpq64hJhq/ijZKoMHvLLl9HlNBYIk6FU4F
F8X65XGJF8zNZUByhz1Tji7QDhPS8iJZW11t1QCDt5WilLmP/r93xchgyh81Up+U
Jz320U0pYljICfhTUkgzkBuziGm1SCGkHfVQDOpTVc8ePbtJyL61qqgi3ALZ685u
syz3CVAoacajlNIf2laV90ih2zmfm+05vkHQI7ui5X62MCJXF/Q=
=rMbl
-----END PGP SIGNATURE-----