-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 Dec 2025 12:57:12 +0100 Source: pgbouncer Binary: pgbouncer pgbouncer-dbgsym Architecture: mipsel Version: 1.18.0-1+deb12u1 Distribution: bookworm Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-05) Changed-By: Andreas Henriksson Description: pgbouncer - lightweight connection pooler for PostgreSQL Closes: 1103394 Changes: pgbouncer (1.18.0-1+deb12u1) bookworm; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2025-2291: expired password can be used. Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password (Closes: #1103394) * CVE-2025-12819: execute arbitrary SQL during authentication. Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. Checksums-Sha1: 83e55d40afe871d4fafdc9b538a079f13175f3e0 515996 pgbouncer-dbgsym_1.18.0-1+deb12u1_mipsel.deb d9dd24cd7a494be06923d70bc7a75814498ab094 8204 pgbouncer_1.18.0-1+deb12u1_mipsel-buildd.buildinfo 715e7dee6991bfade67fca420535b530fee0b900 210784 pgbouncer_1.18.0-1+deb12u1_mipsel.deb Checksums-Sha256: 2c7cb5f3bf575e9fa22139bad456a059d9980d7a525665dcc9cab9703b6fd03d 515996 pgbouncer-dbgsym_1.18.0-1+deb12u1_mipsel.deb d243f97719f09bbc5cf535a309462f7ae0d43b1e2780138ec1b5d64dd895544b 8204 pgbouncer_1.18.0-1+deb12u1_mipsel-buildd.buildinfo c1840411f7b9d2beacf8b23b1c09788c1238293d77f9826b38287823490d3a52 210784 pgbouncer_1.18.0-1+deb12u1_mipsel.deb Files: a866137e4d4c89d9ce04c499a15acc3f 515996 debug optional pgbouncer-dbgsym_1.18.0-1+deb12u1_mipsel.deb 36878d24653589952238cd5be579dade 8204 database optional pgbouncer_1.18.0-1+deb12u1_mipsel-buildd.buildinfo cc974f40cacb69d53dc7c37b6bcceef7 210784 database optional pgbouncer_1.18.0-1+deb12u1_mipsel.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEYLhEzFkGpb3yYRVHmlVdU6AM9BUFAmlW8qMACgkQmlVdU6AM 9BXf5Q//XzqAG9HmSZqZgqi77GZW9fdXffguTF+PbYfzcIUN1yBCNMXXN56BhgRC 1/LfMvC2URcenHxfoMVQRw6EgqbVTs4eHpG94ZVK5ZFpL3VV38vEt6hpVc0L8/ZH VVFebHdQPgllcn//WyIWocuqpYaImX4KPqrxuBVb0XPpXk49pULenw6urLCT7lLh 86ULtM2UFHIJ4xpOQwT5nC2jwdBmfZamBB3AqwvBAbMrfa2JHWKG+DUZ/e3jTc7p we0ZsxCVrN09FrlBQ5PfEasg3GqIFgJw6L0LJ+92qJB+jwl6++LjuyN7LtsbUR8F I3qyAuYvZpR+sFtuYqO2DpnT+R/PS+osbdlAXYKhqeSpghmFtYOD9RcyCP8YkIIB HYSctLyOB4RU6Tgx5ljInOBgpMUdLvtqzOiHkR3kAVw9Qqc0I5T2jdUzURuaYXyR jtad9L+58iLKmYctdKcO7xAvacMZO7oj2qzb0Tf2w8TcUPbLRU++mqN0muE8tZZj I813TdQqNUCgoACpxR+316qv6BGhdje3eWPw7OL9QN23eTABUrYcb4TA3NxEF/kS X7SOd3MOeQ05FGTxujnMES6Lk2bfOypX/N7jKcHl6zj5PVuCSPe88BMvbQGeyCV8 yTxjA4tHaBm6yKDGTY2VBE34jicRn7gRPG+hFyfGhQ+wGxUrOfM= =re0i -----END PGP SIGNATURE-----