oss-sec mailing list archives
CVE Request: PgBouncer: failed auth_query lookup leads to connection as auth_user
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 4 Sep 2015 20:08:11 +0200
Hi Could you please assign a CVE for the following PgBouncer issue?
From upstream announce:
https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/
New auth_user functionality introduced in 1.6 allows login as auth_user when client presents unknown username. It’s quite likely auth_user is superuser. Affects only setups that have enabled auth_user in their config.
References: - https://github.com/pgbouncer/pgbouncer/issues/69 - http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251 Upstream fix: https://github.com/pgbouncer/pgbouncer/commit/7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38 Regards, Salvatore
Current thread:
- CVE Request: PgBouncer: failed auth_query lookup leads to connection as auth_user Salvatore Bonaccorso (Sep 04)