: VCS matches the version in the archive
- Git: https://salsa.debian.org/postgresql/pgbouncer.git
- Branch: master
- Path: debian/changelog
- Browser: https://salsa.debian.org/postgresql/pgbouncer
- Last scan: 2021-11-26 15:32:36+00
- Next scan: 2021-12-05 03:03:00+00
- CI pipeline status: success
- Debian changelog in Git:
pgbouncer (1.16.1-1) unstable; urgency=medium
* New upstream version.
Make PgBouncer acting as a server reject extraneous data after an
SSL or GSS encryption handshake.
A man-in-the-middle with the ability to inject data into the TCP
connection could stuff some cleartext data into the start of a
supposedly encryption-protected database session. This could be
abused to send faked SQL commands to the server, although that would
only work if PgBouncer did not demand any authentication data.
(However, a PgBouncer setup relying on SSL certificate
authentication might well not do so.)
(Similar to CVE-2021-23214 in the PostgreSQL server.)
-- Christoph Berg <firstname.lastname@example.org> Fri, 26 Nov 2021 11:19:53 +0100
- This branch is even with tag debian/1.16.1-1