Your message dated Wed, 01 Mar 2023 10:34:14 +0000 with message-id <e1pxjmo-00emua...@fasolo.debian.org> and subject line Bug#1030048: fixed in pgpool2 4.3.5-1 has caused the Debian Bug report #1030048, regarding pgpool2: CVE-2023-22332 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1030048: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030048 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: pgpool2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pgpool2. CVE-2023-22332[0]: | Information disclosure vulnerability exists in Pgpool-II 4.4.0 to | 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 | series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), | All versions of 3.7 series, All versions of 3.6 series, All versions | of 3.5 series, All versions of 3.4 series, and All versions of 3.3 | series. A specific database user's authentication information may be | obtained by another database user. As a result, the information stored | in the database may be altered and/or database may be suspended by a | remote attacker who successfully logged in the product with the | obtained credentials. Quoting from https://www.pgpool.net/mediawiki/index.php/Main_Page#News : (I have no idea how common that is, feel free to downgrade as necessary) ---------------------------------------------- This release contains a security fix. If following conditions are all met, the password of "wd_lifecheck_user" is exposed by "SHOW POOL STATUS" command. The command can be executed by any user who can connect to Pgpool-II. (CVE-2023-22332) • Version 3.3 or later • use_watchdog = on • wd_lifecheck_method = 'query' • A plain text password is set to wd_lifecheck_password ---------------------------------------------- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22332 https://www.cve.org/CVERecord?id=CVE-2023-22332 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: pgpool2 Source-Version: 4.3.5-1 Done: Christoph Berg <m...@debian.org> We believe that the bug you reported is fixed in the latest version of pgpool2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1030...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Berg <m...@debian.org> (supplier of updated pgpool2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 01 Mar 2023 11:09:35 +0100 Source: pgpool2 Architecture: source Version: 4.3.5-1 Distribution: unstable Urgency: medium Maintainer: Debian PostgreSQL Maintainers <team+postgre...@tracker.debian.org> Changed-By: Christoph Berg <m...@debian.org> Closes: 1030048 Changes: pgpool2 (4.3.5-1) unstable; urgency=medium . * New upstream version 4.3.5. (Closes: #1030048) . + Fixes Information disclosure vulnerability CVE-2023-22332: . A specific database user's authentication information may be obtained by another database user. As a result, the information stored in the database may be altered and/or database may be suspended by a remote attacker who successfully logged in the product with the obtained credentials. . * debian/pgpool2.service: Start after network.target. Checksums-Sha1: 1775469a7678ad9c3e78407703d207c76d067aa2 2645 pgpool2_4.3.5-1.dsc 9cfac112e459d3581072b110ad90bf536e2efb40 4785896 pgpool2_4.3.5.orig.tar.gz 30a77dba3c143b124c326153ad2428b9225cd9da 13764 pgpool2_4.3.5-1.debian.tar.xz Checksums-Sha256: ca45b7fad6539375f761a0c50569db8bf326f4524d6b91e9964293e4454eb496 2645 pgpool2_4.3.5-1.dsc c220bfd78da0601bc46d22b1555b0f18550c5528ce8c40d32741cefaed23e234 4785896 pgpool2_4.3.5.orig.tar.gz 5dd753a1b47e6de57cae01ad5cf7248fe099719062eaf4c99aa9536cf635bcfd 13764 pgpool2_4.3.5-1.debian.tar.xz Files: e6077ffac2d4385ea68ee527b8218ba2 2645 database optional pgpool2_4.3.5-1.dsc b2a0f3a09c9db2279224cb96a78ff0e5 4785896 database optional pgpool2_4.3.5.orig.tar.gz a9b79fac41f1b5c259139640e61fc957 13764 database optional pgpool2_4.3.5-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmP/KKIACgkQTFprqxLS p65hBg/+NpYl4zXdp7alkvE6XPAel3XJEtDFZqwGFT9oekwEXyCpvrPRO2l4deer GfNQ1O0IlFUEEJe2qwR38ulZwP/2tdzYj7kS9FN36jB2CvWloQzSfMjt76chjiC9 owLmRqKCXkdn+T/BUb0SY8MxYKnELOCbPVdFawAF0HOB16BvJvTIK+/7NYEYp1Xi aRF71G5YWOa3YJaI/AQyzdH6rrkg6dqhk0FYRLKYpfOxaqRBcKfAaKsr8jII40H1 jIUap+ldogiGFG/N1Ld8CIX/34Epwx+kER+Bon3Ou9lSE4q3U5xAmYjoBSD17Rav M/DV3kXFaIJSmvDhxeCVql4nBY1DRYdB5D4K28LveqO6UGgvJ6TGWGO6OW2egx4i a/G+KDdE2qRgF0k79K/dczwrpMykw1+NntJTobAdMqFucLnIPs5ILXo3sqn8slDU wUL7PoULq6TovdhAbTRHzlo4pCCI8RTqxXzL8Y7tcGAv8CMIzFmr5icLPfyr43Y9 aO1DAAtconj6BNl9hvgns3KZVTkyM7dPoEEzLfc796+Z5Q1FeuZJeP5cM/kITj1W 8gjOmgzP3T6x+zvr9QzP07hFiclaxh0PajOpOy1CPgSke7QVOn2f7l9DfxdA/S0Z Sc2cpQWSvBORdcfc7IKkVq+WL+iC/Y59PAvtWlJna2ihIimOMUc= =f2Kp -----END PGP SIGNATURE-----
--- End Message ---
