Content-Type: multipart/mixed; boundary="===============6638513905211143194=="
MIME-Version: 1.0
Subject: Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released.
To: PostgreSQL Announce <pgsql-announce@lists.postgresql.org>
From: Pgpool Global Development Group via PostgreSQL Announce <announce-noreply@postgresql.org>
Reply-To: pengbo@sraoss.co.jp
Date: Fri, 23 May 2025 09:44:38 +0000
Message-ID: <174799347860.795.6870237148354036944@wrigleys.postgresql.org>
Auto-Submitted: auto-generated
Archived-At: <https://www.postgresql.org/message-id/174799347860.795.6870237148354036944%40wrigleys.postgresql.org>
Precedence: bulk

--===============6638513905211143194==
Content-Type: multipart/alternative; boundary="===============1604909851077765694=="
MIME-Version: 1.0

--===============1604909851077765694==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

# What is Pgpool-II?

Pgpool-II is a tool to add useful features to PostgreSQL, including: =20

* connection pooling
* load balancing
* automatic failover and [more](https://www.pgpool.net/).

# Minor releases

Pgpool Global Development Group is pleased to announce the availability of =
following versions of Pgpool-II:=20

* 4.6.1
* 4.5.7
* 4.4.12
* 4.3.15
* 4.2.22

This release contains a security fix.

An authentication bypass vulnerability exists in the client authentication =
mechanism of Pgpool-II. In Pgpool-II, authentication may be bypassed even w=
hen it is supposed to be enforced. As a result, an attacker could log in as=
 any user, potentially leading to information disclosure, data tampering, o=
r even a complete shutdown of the database. (CVE-2025-46801)

This vulnerability affects systems where the authentication configuration m=
atches one of the following patterns:

* Pattern 1: This vulnerability occurs when all of the following conditions=
 are met:
    * The password authentication method is used in pool_hba.conf
    * allow_clear_text_frontend_auth =3D off
    * The user's password is not set in pool_passwd
    * The scram-sha-256 or md5 authentication method is used in pg_hba.conf=
=20

* Pattern 2: This vulnerability occurs when all of the following conditions=
 are met:
    * enable_pool_hba =3D off
    * One of the following authentication methods is used in pg_hba.conf: p=
assword, pam, or ldap=20

* Pattern 3: This vulnerability occurs when all of the following conditions=
 are met:
    * Raw mode is used (backend_clustering_mode =3D 'raw')
    * The md5 authentication method is used in pool_hba.conf
    * allow_clear_text_frontend_auth =3D off
    * The user's password is registered in pool_passwd in plain text or AES=
 format
    * One of the following authentication methods is used in pg_hba.conf: p=
assword, pam, or ldap=20

All versions of Pgpool-II 4.0 and 4.1 series, 4.2.0 to 4.2.21, 4.3.0 to 4.3=
.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.6.0 are affected by this vulnera=
bility. It is strongly recommended to upgrade to Pgpool-II 4.6.1, 4.5.7, 4.=
4.12, 4.3.15 and 4.2.22 or later. Alternatively, you can modify your settin=
gs so that they do not match any of the vulnerable configuration patterns. =


Please take a look at [release notes](https://www.pgpool.net/docs/latest/en=
/html/release.html).

You can download [the source code and RPMs](https://pgpool.net/mediawiki/in=
dex.php/Downloads).
--===============1604909851077765694==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


<!doctype html>
<html>
  <head>
    <meta name=3D"viewport" content=3D"width=3Ddevice-width">
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8=
">
    <title>Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released.</tit=
le>
    <style>

    @media only screen and (max-width: 620px) {
      table[class=3Dbody] h1 {
        font-size: 28px !important;
        margin-bottom: 10px !important;
      }
      table[class=3Dbody] p,
            table[class=3Dbody] ul,
            table[class=3Dbody] ol,
            table[class=3Dbody] td,
            table[class=3Dbody] span,
            table[class=3Dbody] a {
        font-size: 16px !important;
      }
      table[class=3Dbody] .wrapper,
            table[class=3Dbody] .article {
        padding: 10px !important;
      }
      table[class=3Dbody] .content {
        padding: 0 !important;
      }
      table[class=3Dbody] .container {
        padding: 0 !important;
        width: 100% !important;
      }
      table[class=3Dbody] .main {
        border-left-width: 0 !important;
        border-radius: 0 !important;
        border-right-width: 0 !important;
      }
      table[class=3Dbody] .btn table {
        width: 100% !important;
      }
      table[class=3Dbody] .btn a {
        width: 100% !important;
      }
      table[class=3Dbody] .img-responsive {
        height: auto !important;
        max-width: 100% !important;
        width: auto !important;
      }
    }

    @media all {
      .ExternalClass {
        width: 100%;
      }
      .ExternalClass,
            .ExternalClass p,
            .ExternalClass span,
            .ExternalClass font,
            .ExternalClass td,
            .ExternalClass div {
        line-height: 100%;
      }
      .apple-link a {
        color: inherit !important;
        font-family: inherit !important;
        font-size: inherit !important;
        font-weight: inherit !important;
        line-height: inherit !important;
        text-decoration: none !important;
      }
      #MessageViewBody a {
        color: inherit;
        text-decoration: none;
        font-size: inherit;
        font-family: inherit;
        font-weight: inherit;
        line-height: inherit;
      }
      .btn-primary table td:hover {
        background-color: #34495e !important;
      }
      .btn-primary a:hover {
        background-color: #34495e !important;
        border-color: #34495e !important;
      }
    }
    </style>
  </head>
  <body class=3D"" style=3D"background-color: #f6f6f6; font-family: sans-se=
rif; -webkit-font-smoothing: antialiased; font-size: 14px; line-height: 1.4=
; margin: 0; padding: 0; -ms-text-size-adjust: 100%; -webkit-text-size-adju=
st: 100%;">
    <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" class=3D"body" =
style=3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace=
: 0pt; width: 100%; background-color: #f6f6f6;">
      <tr>
        <td style=3D"font-family: sans-serif; font-size: 14px; vertical-ali=
gn: top;">&nbsp;</td>
        <td class=3D"container" style=3D"font-family: sans-serif; font-size=
: 14px; vertical-align: top; display: block; Margin: 0 auto; max-width: 580=
px; padding: 10px; width: 580px;">
          <div class=3D"content" style=3D"box-sizing: border-box; display: =
block; Margin: 0 auto; max-width: 580px; padding: 10px;">


            <span class=3D"preheader" style=3D"color: transparent; display:=
 none; height: 0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden=
; mso-hide: all; visibility: hidden; width: 0;"></span>
            <table class=3D"main" style=3D"border-collapse: separate; mso-t=
able-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; background: #ffffff; =
border-radius: 3px;">


              <tr>
                <td class=3D"wrapper" style=3D"font-family: sans-serif; fon=
t-size: 14px; vertical-align: top; box-sizing: border-box; padding: 20px;">
                  <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" s=
tyle=3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace:=
 0pt; width: 100%;">
                    <tr>
                      <td style=3D"font-family: sans-serif; font-size: 14px=
; vertical-align: top;">

<div>
<h1 style=3D"color: #000; font-family: sans-serif; line-height: 1.4; margin=
: 0; margin-bottom: 30px; font-size: 25px; font-weight: 300; text-align: ce=
nter">Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released.</h1>
</div>
<h1 style=3D"color: #000; font-family: sans-serif; line-height: 1.4; margin=
: 0; margin-bottom: 30px; font-size: 25px; font-weight: 300; text-align: ce=
nter">What is Pgpool-II?</h1>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">Pgpool-II is a tool to add useful features =
to PostgreSQL, including:  </p>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">connection pool=
ing</li>
<li style=3D"list-style-position: inside; margin-left: 5px">load balancing<=
/li>
<li style=3D"list-style-position: inside; margin-left: 5px">automatic failo=
ver and <a href=3D"https://www.pgpool.net/" style=3D"color: #3498db; text-d=
ecoration: underline">more</a>.</li>
</ul>
<h1 style=3D"color: #000; font-family: sans-serif; line-height: 1.4; margin=
: 0; margin-bottom: 30px; font-size: 25px; font-weight: 300; text-align: ce=
nter">Minor releases</h1>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">Pgpool Global Development Group is pleased =
to announce the availability of following versions of Pgpool-II: </p>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">4.6.1</li>
<li style=3D"list-style-position: inside; margin-left: 5px">4.5.7</li>
<li style=3D"list-style-position: inside; margin-left: 5px">4.4.12</li>
<li style=3D"list-style-position: inside; margin-left: 5px">4.3.15</li>
<li style=3D"list-style-position: inside; margin-left: 5px">4.2.22</li>
</ul>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">This release contains a security fix.</p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">An authentication bypass vulnerability exis=
ts in the client authentication mechanism of Pgpool-II. In Pgpool-II, authe=
ntication may be bypassed even when it is supposed to be enforced. As a res=
ult, an attacker could log in as any user, potentially leading to informati=
on disclosure, data tampering, or even a complete shutdown of the database.=
 (CVE-2025-46801)</p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">This vulnerability affects systems where th=
e authentication configuration matches one of the following patterns:</p>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">Pattern 1: This vulnerability occurs when a=
ll of the following conditions are met:</p>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">The password au=
thentication method is used in pool_hba.conf</li>
<li style=3D"list-style-position: inside; margin-left: 5px">allow_clear_tex=
t_frontend_auth =3D off</li>
<li style=3D"list-style-position: inside; margin-left: 5px">The user's pass=
word is not set in pool_passwd</li>
<li style=3D"list-style-position: inside; margin-left: 5px">The scram-sha-2=
56 or md5 authentication method is used in pg_hba.conf </li>
</ul>
</li>
<li style=3D"list-style-position: inside; margin-left: 5px">
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">Pattern 2: This vulnerability occurs when a=
ll of the following conditions are met:</p>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">enable_pool_hba=
 =3D off</li>
<li style=3D"list-style-position: inside; margin-left: 5px">One of the foll=
owing authentication methods is used in pg_hba.conf: password, pam, or ldap=
 </li>
</ul>
</li>
<li style=3D"list-style-position: inside; margin-left: 5px">
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">Pattern 3: This vulnerability occurs when a=
ll of the following conditions are met:</p>
<ul style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal;=
 margin: 0; margin-bottom: 15px">
<li style=3D"list-style-position: inside; margin-left: 5px">Raw mode is use=
d (backend_clustering_mode =3D 'raw')</li>
<li style=3D"list-style-position: inside; margin-left: 5px">The md5 authent=
ication method is used in pool_hba.conf</li>
<li style=3D"list-style-position: inside; margin-left: 5px">allow_clear_tex=
t_frontend_auth =3D off</li>
<li style=3D"list-style-position: inside; margin-left: 5px">The user's pass=
word is registered in pool_passwd in plain text or AES format</li>
<li style=3D"list-style-position: inside; margin-left: 5px">One of the foll=
owing authentication methods is used in pg_hba.conf: password, pam, or ldap=
 </li>
</ul>
</li>
</ul>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">All versions of Pgpool-II 4.0 and 4.1 serie=
s, 4.2.0 to 4.2.21, 4.3.0 to 4.3.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.=
6.0 are affected by this vulnerability. It is strongly recommended to upgra=
de to Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 or later. Alternati=
vely, you can modify your settings so that they do not match any of the vul=
nerable configuration patterns. </p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">Please take a look at <a href=3D"https://ww=
w.pgpool.net/docs/latest/en/html/release.html" style=3D"color: #3498db; tex=
t-decoration: underline">release notes</a>.</p>
<p style=3D"font-family: sans-serif; font-size: 14px; font-weight: normal; =
margin: 0; margin-bottom: 15px">You can download <a href=3D"https://pgpool.=
net/mediawiki/index.php/Downloads" style=3D"color: #3498db; text-decoration=
: underline">the source code and RPMs</a>.</p>

                      </td>
                    </tr>
                  </table>
                </td>
              </tr>

            </table>

            <div class=3D"footer" style=3D"clear: both; Margin-top: 10px; t=
ext-align: center; width: 100%;">
              <table border=3D"0" cellpadding=3D"0" cellspacing=3D"0" style=
=3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt=
; width: 100%;">
                <tr>
                  <td class=3D"content-block" style=3D"font-family: sans-se=
rif; vertical-align: top; padding-bottom: 10px; padding-top: 10px; font-siz=
e: 12px; color: #999999; text-align: center;">
                    <span class=3D"apple-link" style=3D"color: #999999; fon=
t-size: 12px; text-align: center;">
This email was sent to you from Pgpool Global Development Group. It was del=
ivered on their behalf by
the PostgreSQL project. Any questions about the content of the message shou=
ld be
sent to Pgpool Global Development Group.
</span>
		    <br><br>
You were sent this email as a subscriber of the <em>pgsql-announce</em> mai=
linglist, for
the content tag Related Open Source.
To unsubscribe from
further emails, or change which emails you want to receive, please click th=
e personal unsubscribe
link that you can find in the headers of this email, or visit
<a href=3D"https://lists.postgresql.org/unsubscribe/" style=3D"color: #3498=
db; text-decoration: underline">https://lists.postgresql.org/unsubscribe/</=
a>.

                  </td>
                </tr>
              </table>
            </div>

          </div>
        </td>
        <td style=3D"font-family: sans-serif; font-size: 14px; vertical-ali=
gn: top;">&nbsp;</td>
      </tr>
    </table>
  </body>
</html>

--===============1604909851077765694==--

--===============6638513905211143194==--