[Pkg-postgresql-public] pgbouncer DoS fix

Salvatore Bonaccorso carnil at debian.org
Fri May 22 18:33:44 UTC 2015


Hi Christoph,

On Wed, May 20, 2015 at 10:51:32PM +0200, Christoph Berg wrote:
> Hi,
> 
> there's a new pgbouncer release out that fixes a DoS. The effective
> change is:
> 
> --- pgbouncer-1.5.4/NEWS	2012-11-28 14:06:30.000000000 +0100
> +++ pgbouncer-1.5.5/NEWS	2015-04-09 16:07:52.000000000 +0200
> @@ -1,3 +1,10 @@
> +2015-04-09  -  PgBouncer 1.5.5  -  "Play Dead To Win"
> +
> +  = Fixes =
> +
> +    * Fix remote crash - invalid packet order causes lookup of NULL
> +      pointer.  Not exploitable, just DoS.

This has been assigned CVE-2015-4054 now[0]. Given the explanation you
gave me on the usecase I think it would be safe to schedule this
through a (old)stable proposed-update. Could you contact the release
team to have it updated for jessie and wheezy?

 [0] http://www.openwall.com/lists/oss-security/2015/05/22/5

Regards,
Salvatore



More information about the Pkg-postgresql-public mailing list