-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 May 2025 12:09:11 +0200
Source: pgpool2
Architecture: source
Version: 4.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <[email protected]> Changed-By: Christoph Berg <[email protected]>
Closes: 1106119
Changes:
pgpool2 (4.6.1-1) unstable; urgency=medium
.
* New upstream version 4.6.1. (Closes: #1106119)
.
+ An authentication bypass vulnerability exists in the client
authentication mechanism of Pgpool-II. In Pgpool-II, authentication may be
bypassed even when it is supposed to be enforced. As a result, an attacker
could log in as any user, potentially leading to information disclosure,
data tampering, or even a complete shutdown of the database.
(CVE-2025-46801)
.
This vulnerability affects systems where the authentication configuration
matches one of the following patterns:
.
Pattern 1: This vulnerability occurs when all of the following conditions
are met:
.
- The password authentication method is used in pool_hba.conf
- allow_clear_text_frontend_auth = off
- The user's password is not set in pool_passwd
- The scram-sha-256 or md5 authentication method is used in pg_hba.conf
.
Pattern 2: This vulnerability occurs when all of the following conditions
are met:
.
- enable_pool_hba = off
- One of the following authentication methods is used in pg_hba.conf:
password, pam, or ldap
.
Pattern 3: This vulnerability occurs when all of the following conditions
are met:
.
- Raw mode is used (backend_clustering_mode = 'raw')
- The md5 authentication method is used in pool_hba.conf
- allow_clear_text_frontend_auth = off
- The user's password is registered in pool_passwd in plain text or AES
format
- One of the following authentication methods is used in pg_hba.conf:
password, pam, or ldap
.
Alternatively, you can modify your settings so that they do not match any
of the vulnerable configuration patterns.
.
* debian/tests/jdbc-tests: Use scram-sha-256 authentication.
Checksums-Sha1:
8f97aff0fb169e21aa6d26767d04feb51ecfd849 2694 pgpool2_4.6.1-1.dsc
5226ff75ab7ab6ada98ef213e9e6efce6dc36d25 5549482 pgpool2_4.6.1.orig.tar.gz
3ef082cdfaf468db6b4509156837d1be8c85cdd9 14788 pgpool2_4.6.1-1.debian.tar.xz Checksums-Sha256:
25fffd218ef590bda213197f037080b5653f1f7a80e79cd8207e3c6d386d1abb 2694 pgpool2_4.6.1-1.dsc
0f8805d93bc40002c8019dc40ae03a71a3d144bd39f3dffe6fa01f7fc19bb8e8 5549482 pgpool2_4.6.1.orig.tar.gz
4d1cc44dc026131a6c7354871c5aeb8cd46810b563b137d09bdff31a01902182 14788 pgpool2_4.6.1-1.debian.tar.xz
Files:
1173bf37b838e946cebd53a61fded6f3 2694 database optional pgpool2_4.6.1-1.dsc
1fcf548bd309b18f1b21e16105ac84fb 5549482 database optional pgpool2_4.6.1.orig.tar.gz
3b669e24fa02574d0f77124bfd61fc37 14788 database optional pgpool2_4.6.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmgseTIACgkQTFprqxLS p667Fg/9G0osCnFV/GZrexHB9zrtcJATdYKd3jk4YBlta4Sohct5B5F6Qa5m3ZNV 5wrHkzRP+lvw8jrZDPmqKabnvbGgGOEXntyAwGFbXxfkHMVdVEErdWM8WlsGCEJu r0hQ0JiuixXQZvAYiHNRvWU4kk0gvMZfqDkFBxQO9AaE5LPUfhYfvG8XNxnf+hvJ /EFSyEXHvMXckuupn9SwYvFmpBafOH0EMZD/pCWhz44EHvhGfeQqgnZbYjTGEkTE 4EfZ6+5FoJmtgSefIFcWteKTS+B7wDXmotK5k+CYJR3nEtu5URf6Xf13bH2Sp8o0 y1YeaHoKdt1B1rqjcZgmeF4VbcjaEjLd2dqnuwnweSrpxcntcgIRt5hP3/aoD9Vn ngQMGdGt3Nm56EcD4FPPOfNHFE41I4WI7c76jSpI4YBZj6/0Rb9HgW3hQFDR0i+T 2TqG1X6IA7rz/N77Z5MRDhNzAo9cvxms3FgzlI/k0UJ1sEFOeKx6/u54RFPWQGaE 20d+gXhtYp9gNqxnFuAfkuC3iSbleIe6jM2nJ+rvqjSQLqPCt3rHeLTwWNOx7NJt FcejUnWP6B0wu6PQPEfEhzQSArdqUAbiQY+7SjOIzEdxuVdAln9kVo5NfknBFkMr xlVkj8EA2iXT+N53D4kEytN5VJujNVzOgVJ5S4osRlw0hldf7VI=
=62hE
-----END PGP SIGNATURE-----


--==============90411605466965057=Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaCx7qgAKCRCb9qggYcy5 Icp5AQDRj8V9kRY+a6iwo/ow4LE0RwiV27lTblH41Sr/QdwSHwEA9RUpgAfBVXQk zU9BHC7V/37os1HH771LT6roy10C9Q4=qKM9
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)