[Pkg-postgresql-public] pgbouncer DoS fix
carnil at debian.org
Fri May 22 18:33:44 UTC 2015
On Wed, May 20, 2015 at 10:51:32PM +0200, Christoph Berg wrote:
> there's a new pgbouncer release out that fixes a DoS. The effective
> change is:
> --- pgbouncer-1.5.4/NEWS 2012-11-28 14:06:30.000000000 +0100
> +++ pgbouncer-1.5.5/NEWS 2015-04-09 16:07:52.000000000 +0200
> @@ -1,3 +1,10 @@
> +2015-04-09 - PgBouncer 1.5.5 - "Play Dead To Win"
> + = Fixes =
> + * Fix remote crash - invalid packet order causes lookup of NULL
> + pointer. Not exploitable, just DoS.
This has been assigned CVE-2015-4054 now. Given the explanation you
gave me on the usecase I think it would be safe to schedule this
through a (old)stable proposed-update. Could you contact the release
team to have it updated for jessie and wheezy?
More information about the Pkg-postgresql-public