Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 Sep 2015 20:08:11 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>
Subject: CVE Request: PgBouncer: failed auth_query lookup leads to connection
 as auth_user

Hi

Could you please assign a CVE for the following PgBouncer issue?

>From upstream announce:

https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/
> New auth_user functionality introduced in 1.6 allows login as
> auth_user when client presents unknown username. It’s quite likely
> auth_user is superuser. Affects only setups that have enabled
> auth_user in their config.

References:
 - https://github.com/pgbouncer/pgbouncer/issues/69
 - http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251

Upstream fix:
https://github.com/pgbouncer/pgbouncer/commit/7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ