Обсуждение: PgBouncer 1.25.1 released - Fixing a bunch of bugs before Christmas (including CVE-2025-12819)

Поиск
Список
Период
Сортировка

PgBouncer 1.25.1 released - Fixing a bunch of bugs before Christmas (including CVE-2025-12819)

От
PgBouncer via PostgreSQL Announce
Дата:
 

PgBouncer 1.25.1 released - Fixing a bunch of bugs before Christmas (including CVE-2025-12819)

PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:

  1. track_extra_parameters includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)
  2. auth_user is set to a non-empty string (non-default configuration)
  3. auth_query is configured without fully-qualified object names (default configuration, the < operator is not schema q

This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.

See the full details in the changelog.

Download here: pgbouncer-1.25.1.tar.gz (sha256)

This email was sent to you from PgBouncer. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message should be sent to PgBouncer.

You were sent this email as a subscriber of the pgsql-announce mailinglist, for for one of the content tags Related Open Source or Security. To unsubscribe from further emails, or change which emails you want to receive, please click the personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 

Чтобы сделать работу с сайтом удобнее, мы используем cookie и аналитический сервис «Яндекс.Метрика». Продолжая пользоваться сайтом, вы соглашаетесь с их использованием.