Date: Fri, 4 Sep 2015 20:08:11 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: CVE Assignments MITRE <cve-assign@...re.org> Subject: CVE Request: PgBouncer: failed auth_query lookup leads to connection as auth_user Hi Could you please assign a CVE for the following PgBouncer issue? >From upstream announce: https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/ > New auth_user functionality introduced in 1.6 allows login as > auth_user when client presents unknown username. It’s quite likely > auth_user is superuser. Affects only setups that have enabled > auth_user in their config. References: - https://github.com/pgbouncer/pgbouncer/issues/69 - http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251 Upstream fix: https://github.com/pgbouncer/pgbouncer/commit/7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ