Your message dated Tue, 20 May 2025 12:55:06 +0000
with message-id <e1uhmus-00ata4...@fasolo.debian.org>
and subject line Bug#1106119: fixed in pgpool2 4.6.1-1
has caused the Debian Bug report #1106119,
regarding pgpool2: CVE-2025-46801
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1106119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pgpool2
Version: 4.6.0-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 4.3.5-1
Hi Christoph,
The following vulnerability was published for pgpool2.
CVE-2025-46801[0]:
| Pgpool-II provided by PgPool Global Development Group contains an
| authentication bypass by primary weakness vulnerability. if the
| vulnerability is exploited, an attacker may be able to log in to the
| system as an arbitrary user, allowing them to read or tamper with
| data in the database, and/or disable the database.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46801
https://www.cve.org/CVERecord?id=CVE-2025-46801
[1]
https://www.pgpool.net/mediawiki/index.php/Main_Page#Pgpool-II_4.6.1.2C_4.5.7.2C_4.4.12.2C_4.3.15_and_4.2.22_officially_released_.282025.2F05.2F15.29_2
[2]
https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=d8e2ace8737f64eee2bf5ca74f6294835fb75ccb
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: pgpool2
Source-Version: 4.6.1-1
Done: Christoph Berg <m...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pgpool2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1106...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <m...@debian.org> (supplier of updated pgpool2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 May 2025 12:09:11 +0200
Source: pgpool2
Architecture: source
Version: 4.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PostgreSQL Maintainers <team+postgre...@tracker.debian.org>
Changed-By: Christoph Berg <m...@debian.org>
Closes: 1106119
Changes:
pgpool2 (4.6.1-1) unstable; urgency=medium
.
* New upstream version 4.6.1. (Closes: #1106119)
.
+ An authentication bypass vulnerability exists in the client
authentication mechanism of Pgpool-II. In Pgpool-II, authentication may be
bypassed even when it is supposed to be enforced. As a result, an attacker
could log in as any user, potentially leading to information disclosure,
data tampering, or even a complete shutdown of the database.
(CVE-2025-46801)
.
This vulnerability affects systems where the authentication configuration
matches one of the following patterns:
.
Pattern 1: This vulnerability occurs when all of the following conditions
are met:
.
- The password authentication method is used in pool_hba.conf
- allow_clear_text_frontend_auth = off
- The user's password is not set in pool_passwd
- The scram-sha-256 or md5 authentication method is used in pg_hba.conf
.
Pattern 2: This vulnerability occurs when all of the following conditions
are met:
.
- enable_pool_hba = off
- One of the following authentication methods is used in pg_hba.conf:
password, pam, or ldap
.
Pattern 3: This vulnerability occurs when all of the following conditions
are met:
.
- Raw mode is used (backend_clustering_mode = 'raw')
- The md5 authentication method is used in pool_hba.conf
- allow_clear_text_frontend_auth = off
- The user's password is registered in pool_passwd in plain text or AES
format
- One of the following authentication methods is used in pg_hba.conf:
password, pam, or ldap
.
Alternatively, you can modify your settings so that they do not match any
of the vulnerable configuration patterns.
.
* debian/tests/jdbc-tests: Use scram-sha-256 authentication.
Checksums-Sha1:
8f97aff0fb169e21aa6d26767d04feb51ecfd849 2694 pgpool2_4.6.1-1.dsc
5226ff75ab7ab6ada98ef213e9e6efce6dc36d25 5549482 pgpool2_4.6.1.orig.tar.gz
3ef082cdfaf468db6b4509156837d1be8c85cdd9 14788 pgpool2_4.6.1-1.debian.tar.xz
Checksums-Sha256:
25fffd218ef590bda213197f037080b5653f1f7a80e79cd8207e3c6d386d1abb 2694
pgpool2_4.6.1-1.dsc
0f8805d93bc40002c8019dc40ae03a71a3d144bd39f3dffe6fa01f7fc19bb8e8 5549482
pgpool2_4.6.1.orig.tar.gz
4d1cc44dc026131a6c7354871c5aeb8cd46810b563b137d09bdff31a01902182 14788
pgpool2_4.6.1-1.debian.tar.xz
Files:
1173bf37b838e946cebd53a61fded6f3 2694 database optional pgpool2_4.6.1-1.dsc
1fcf548bd309b18f1b21e16105ac84fb 5549482 database optional
pgpool2_4.6.1.orig.tar.gz
3b669e24fa02574d0f77124bfd61fc37 14788 database optional
pgpool2_4.6.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmgseTIACgkQTFprqxLS
p667Fg/9G0osCnFV/GZrexHB9zrtcJATdYKd3jk4YBlta4Sohct5B5F6Qa5m3ZNV
5wrHkzRP+lvw8jrZDPmqKabnvbGgGOEXntyAwGFbXxfkHMVdVEErdWM8WlsGCEJu
r0hQ0JiuixXQZvAYiHNRvWU4kk0gvMZfqDkFBxQO9AaE5LPUfhYfvG8XNxnf+hvJ
/EFSyEXHvMXckuupn9SwYvFmpBafOH0EMZD/pCWhz44EHvhGfeQqgnZbYjTGEkTE
4EfZ6+5FoJmtgSefIFcWteKTS+B7wDXmotK5k+CYJR3nEtu5URf6Xf13bH2Sp8o0
y1YeaHoKdt1B1rqjcZgmeF4VbcjaEjLd2dqnuwnweSrpxcntcgIRt5hP3/aoD9Vn
ngQMGdGt3Nm56EcD4FPPOfNHFE41I4WI7c76jSpI4YBZj6/0Rb9HgW3hQFDR0i+T
2TqG1X6IA7rz/N77Z5MRDhNzAo9cvxms3FgzlI/k0UJ1sEFOeKx6/u54RFPWQGaE
20d+gXhtYp9gNqxnFuAfkuC3iSbleIe6jM2nJ+rvqjSQLqPCt3rHeLTwWNOx7NJt
FcejUnWP6B0wu6PQPEfEhzQSArdqUAbiQY+7SjOIzEdxuVdAln9kVo5NfknBFkMr
xlVkj8EA2iXT+N53D4kEytN5VJujNVzOgVJ5S4osRlw0hldf7VI=
=62hE
-----END PGP SIGNATURE-----
pgpalACnqCiqz.pgp
Description: PGP signature
--- End Message ---
