Hi Christoph, On Wed, May 20, 2015 at 10:51:32PM +0200, Christoph Berg wrote: > Hi, > > there's a new pgbouncer release out that fixes a DoS. The effective > change is: > > --- pgbouncer-1.5.4/NEWS 2012-11-28 14:06:30.000000000 +0100 > +++ pgbouncer-1.5.5/NEWS 2015-04-09 16:07:52.000000000 +0200 > @@ -1,3 +1,10 @@ > +2015-04-09 - PgBouncer 1.5.5 - "Play Dead To Win" > + > + = Fixes = > + > + * Fix remote crash - invalid packet order causes lookup of NULL > + pointer. Not exploitable, just DoS.
This has been assigned CVE-2015-4054 now[0]. Given the explanation you gave me on the usecase I think it would be safe to schedule this through a (old)stable proposed-update. Could you contact the release team to have it updated for jessie and wheezy? [0] http://www.openwall.com/lists/oss-security/2015/05/22/5 Regards, Salvatore _______________________________________________ Pkg-postgresql-public mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-postgresql-public
