Source: pgbouncer Version: 1.25.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for pgbouncer. CVE-2026-6664[0]: | An integer overflow in network packet parsing code in PgBouncer | before 1.25.2 bypasses a boundary check and can lead to a crash. An | unauthenticated remote attacker can crash PgBouncer with a malformed | SCRAM authentication packet. CVE-2026-6665[1]: | The SCRAM code in PgBouncer before 1.25.2 did not check the return | value of strlcat() correctly when building the contents of the SCRAM | client-final-message. A malicious backend that sends a SCRAM server- | final-message with a long nonce can trigger a stack overflow. CVE-2026-6666[2]: | A possible null pointer reference in PgBouncer before 1.25.2 could | lead to a crash, if a server sends an error response without | SQLSTATE field. CVE-2026-6667[3]: | PgBouncer before 1.25.2 did not perform an appropriate authorization | check for the KILL_CLIENT admin command. All users with access to | the administration console (which itself requires authorization) | could run this command. It would have been correct to allow only | users listed in the admin_users parameter. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-6664 https://www.cve.org/CVERecord?id=CVE-2026-6664 [1] https://security-tracker.debian.org/tracker/CVE-2026-6665 https://www.cve.org/CVERecord?id=CVE-2026-6665 [2] https://security-tracker.debian.org/tracker/CVE-2026-6666 https://www.cve.org/CVERecord?id=CVE-2026-6666 [3] https://security-tracker.debian.org/tracker/CVE-2026-6667 https://www.cve.org/CVERecord?id=CVE-2026-6667 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
