Accepted pgpool2 4.1.4-3+deb11u2 (source) into oldoldstable-security

Debian FTP Masters Thu, 16 Oct 2025 13:20:26 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Oct 2025 11:02:59 +0200
Source: pgpool2
Architecture: source
Version: 4.1.4-3+deb11u2
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <[email protected]>
Changed-By: Bastien Roucariès <[email protected]>
Closes: 1106119
Changes:
 pgpool2 (4.1.4-3+deb11u2) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * Fix CVE-2025-46801 (Closes: #1106119)
     Pgpool-II  contains an
     authentication bypass by primary weakness vulnerability. if the
     vulnerability is exploited, an attacker may be able to log in to the
     system as an arbitrary user, allowing them to read or tamper with
     data in the database, and/or disable the database.
     .
     If enable_pool_hba = on, it's auth method is "password", no password
     is registered in pool_passwd, and auth method in pg_hba.conf is
     "scram-sha-256" or "md5", for the first time when a client connects to
     pgpool, authentication is performed as expected. But if a client
     connects to the cached connection, any password from the client is
     accepted.
     .
     This vulnerability affects systems where the authentication configuration
     matches one of the following patterns:
     .
     Pattern 1: This vulnerability occurs when all of the following conditions
     are met:
     .
     - The password authentication method is used in pool_hba.conf
     - allow_clear_text_frontend_auth = off
     - The user's password is not set in pool_passwd
     - The scram-sha-256 or md5 authentication method is used in pg_hba.conf
     .
     Pattern 2: This vulnerability occurs when all of the following conditions
     are met:
     .
     - enable_pool_hba = off
     - One of the following authentication methods is used in pg_hba.conf:
       password, pam, or ldap
     .
     Pattern 3: This vulnerability occurs when all of the following conditions
     are met:
     .
     - Raw mode is used (backend_clustering_mode = 'raw')
     - The md5 authentication method is used in pool_hba.conf
     - allow_clear_text_frontend_auth = off
     - The user's password is registered in pool_passwd in plain text or AES
       format
     - One of the following authentication methods is used in pg_hba.conf:
       password, pam, or ldap
     .
     Alternatively, you can modify your settings so that they do not match any
     of the vulnerable configuration patterns.
   * debian/tests/jdbc-tests: Use scram-sha-256 authentication.
Checksums-Sha1:
 e6b850965edfbd79f691c14891010a511364fe33 2674 pgpool2_4.1.4-3+deb11u2.dsc
 7b287d0b76d4df85d3fbdb9d818e91350d50c3a7 4276591 pgpool2_4.1.4.orig.tar.gz
 73aedf127e4f1eab5e2a1b4c49d7faea6222177b 33064 
pgpool2_4.1.4-3+deb11u2.debian.tar.xz
 b55b1c26b84e594e50df4d3ff862f23935f5936a 5987 
pgpool2_4.1.4-3+deb11u2_source.buildinfo
Checksums-Sha256:
 c3f4a4bc42f40802713d7354d1f2c3971f68003159de29c141fff2ce9fb6ca76 2674 
pgpool2_4.1.4-3+deb11u2.dsc
 b793d516e21653e08b821af4816f69db262d876d9876372e9aa4f4539e1b6bb5 4276591 
pgpool2_4.1.4.orig.tar.gz
 85920c406974fa4eb4494628ad5bee5b284a7713d9089685608801a46ac62431 33064 
pgpool2_4.1.4-3+deb11u2.debian.tar.xz
 4c4f154fd42c060ed1a4df5558b6637f9bf270c14451edbcdb786349c7bb436c 5987 
pgpool2_4.1.4-3+deb11u2_source.buildinfo
Files:
 97452648d5b1e6cfdecbd4cce837b071 2674 database optional 
pgpool2_4.1.4-3+deb11u2.dsc
 e41caf4f756e337eb894d0c7dde3c5f9 4276591 database optional 
pgpool2_4.1.4.orig.tar.gz
 3d296373aa65560c26f3fbd60e6d1975 33064 database optional 
pgpool2_4.1.4-3+deb11u2.debian.tar.xz
 51022824ee7e2168dd93eed8e176f75b 5987 database optional 
pgpool2_4.1.4-3+deb11u2_source.buildinfo
pgpj4Dt4b3xER.pgp
Description: PGP signature
Accepted pgpool2 4.1.4-3+deb11u2 (source) into oldoldstable-security

Reply via email to
