Hi, there's a new pgbouncer release out that fixes a DoS. The effective change is:
--- pgbouncer-1.5.4/NEWS 2012-11-28 14:06:30.000000000 +0100
+++ pgbouncer-1.5.5/NEWS 2015-04-09 16:07:52.000000000 +0200
@@ -1,3 +1,10 @@
+2015-04-09 - PgBouncer 1.5.5 - "Play Dead To Win"
+
+ = Fixes =
+
+ * Fix remote crash - invalid packet order causes lookup of NULL
+ pointer. Not exploitable, just DoS.
+
2012-11-28 - PgBouncer 1.5.4 - "No Leaks, Potty-Training Successful"
= Fixes =
diff -Nru pgbouncer-1.5.4/src/client.c pgbouncer-1.5.5/src/client.c
--- pgbouncer-1.5.4/src/client.c 2012-08-16 13:03:34.000000000 +0200
+++ pgbouncer-1.5.5/src/client.c 2015-04-09 16:03:32.000000000 +0200
@@ -262,6 +262,12 @@
}
break;
case 'p': /* PasswordMessage */
+ /* too early */
+ if (!client->auth_user) {
+ disconnect_client(client, true, "client password pkt
before startup packet");
+ return false;
+ }
+
/* haven't requested it */
if (cf_auth_type <= AUTH_TRUST) {
disconnect_client(client, true, "unrequested passwd
pkt");
Would this patch applied to the current (old)stable packages be
acceptable for a DSA? The fix for unstable is just being uploaded.
(I'm not aware of a CVE number allocated for this.)
Christoph
--
[email protected] | http://www.df7cb.de/
signature.asc
Description: Digital signature
_______________________________________________ Pkg-postgresql-public mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-postgresql-public
