public inbox for [email protected]
help / color / mirror / Atom feedFrom: Pgpool Global Development Group via PostgreSQL Announce <[email protected]>
To: PostgreSQL Announce <[email protected]>
Subject: Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released.
Date: Fri, 23 May 2025 09:44:38 +0000
Message-ID: <[email protected]> (raw)
# What is Pgpool-II?
Pgpool-II is a tool to add useful features to PostgreSQL, including:
* connection pooling
* load balancing
* automatic failover and [more](https://www.pgpool.net/).
# Minor releases
Pgpool Global Development Group is pleased to announce the availability of following versions of Pgpool-II:
* 4.6.1
* 4.5.7
* 4.4.12
* 4.3.15
* 4.2.22
This release contains a security fix.
An authentication bypass vulnerability exists in the client authentication mechanism of Pgpool-II. In Pgpool-II, authentication may be bypassed even when it is supposed to be enforced. As a result, an attacker could log in as any user, potentially leading to information disclosure, data tampering, or even a complete shutdown of the database. (CVE-2025-46801)
This vulnerability affects systems where the authentication configuration matches one of the following patterns:
* Pattern 1: This vulnerability occurs when all of the following conditions are met:
* The password authentication method is used in pool_hba.conf
* allow_clear_text_frontend_auth = off
* The user's password is not set in pool_passwd
* The scram-sha-256 or md5 authentication method is used in pg_hba.conf
* Pattern 2: This vulnerability occurs when all of the following conditions are met:
* enable_pool_hba = off
* One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap
* Pattern 3: This vulnerability occurs when all of the following conditions are met:
* Raw mode is used (backend_clustering_mode = 'raw')
* The md5 authentication method is used in pool_hba.conf
* allow_clear_text_frontend_auth = off
* The user's password is registered in pool_passwd in plain text or AES format
* One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap
All versions of Pgpool-II 4.0 and 4.1 series, 4.2.0 to 4.2.21, 4.3.0 to 4.3.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.6.0 are affected by this vulnerability. It is strongly recommended to upgrade to Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 or later. Alternatively, you can modify your settings so that they do not match any of the vulnerable configuration patterns.
Please take a look at [release notes](https://www.pgpool.net/docs/latest/en/html/release.html).
You can download [the source code and RPMs](https://pgpool.net/mediawiki/index.php/Downloads).
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released.
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox