[Pkg-postgresql-public] pgbouncer DoS fix
Salvatore Bonaccorso
carnil at debian.org
Fri May 22 18:33:44 UTC 2015
Hi Christoph,
On Wed, May 20, 2015 at 10:51:32PM +0200, Christoph Berg wrote:
> Hi,
>
> there's a new pgbouncer release out that fixes a DoS. The effective
> change is:
>
> --- pgbouncer-1.5.4/NEWS 2012-11-28 14:06:30.000000000 +0100
> +++ pgbouncer-1.5.5/NEWS 2015-04-09 16:07:52.000000000 +0200
> @@ -1,3 +1,10 @@
> +2015-04-09 - PgBouncer 1.5.5 - "Play Dead To Win"
> +
> + = Fixes =
> +
> + * Fix remote crash - invalid packet order causes lookup of NULL
> + pointer. Not exploitable, just DoS.
This has been assigned CVE-2015-4054 now[0]. Given the explanation you
gave me on the usecase I think it would be safe to schedule this
through a (old)stable proposed-update. Could you contact the release
team to have it updated for jessie and wheezy?
[0] http://www.openwall.com/lists/oss-security/2015/05/22/5
Regards,
Salvatore
More information about the Pkg-postgresql-public
mailing list