public inbox for [email protected]
help / color / mirror / Atom feedFrom: PgBouncer via PostgreSQL Announce <[email protected]>
To: PostgreSQL Announce <[email protected]>
Subject: PgBouncer 1.24.1 released - Fixes CVE-2025-2291
Date: Mon, 21 Apr 2025 13:48:03 +0000
Message-ID: <[email protected]> (raw)
PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which
could allow an attacker to bypass Postgres its password expiry. Such a password
expiry would have been set up in Postgres using the `VALID UNTIL` clause. This
is a security issue that affects all versions of PgBouncer. If you use both
`VALID UNTIL` and `auth_user` then you should upgrade, or change the
`auth_query` in your config file to the new `auth_query` that is used by
default in this release. If you are using a custom `auth_query` then you should
update it be similar to the new default `auth_query` in this release.
This release also fixes PAM authentication by reverting support for `pam` in
the HBA file. PAM authentication was accidentally broken in 1.24.0.
See [https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1](https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1) for more information, the detailed changelog, and download links.
PgBouncer is a lightweight connection pooler for PostgreSQL.
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: PgBouncer 1.24.1 released - Fixes CVE-2025-2291
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox