May 8, 2025: PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 Released! | PostgreSQL 18 Beta 1 Released!

Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released.

Posted on 2025-05-23 by Pgpool Global Development Group
Related Open Source

What is Pgpool-II?

Pgpool-II is a tool to add useful features to PostgreSQL, including:

  • connection pooling
  • load balancing
  • automatic failover and more.

Minor releases

Pgpool Global Development Group is pleased to announce the availability of following versions of Pgpool-II:

  • 4.6.1
  • 4.5.7
  • 4.4.12
  • 4.3.15
  • 4.2.22

This release contains a security fix.

An authentication bypass vulnerability exists in the client authentication mechanism of Pgpool-II. In Pgpool-II, authentication may be bypassed even when it is supposed to be enforced. As a result, an attacker could log in as any user, potentially leading to information disclosure, data tampering, or even a complete shutdown of the database. (CVE-2025-46801)

This vulnerability affects systems where the authentication configuration matches one of the following patterns:

  • Pattern 1: This vulnerability occurs when all of the following conditions are met:

    • The password authentication method is used in pool_hba.conf
    • allow_clear_text_frontend_auth = off
    • The user's password is not set in pool_passwd
    • The scram-sha-256 or md5 authentication method is used in pg_hba.conf

  • Pattern 2: This vulnerability occurs when all of the following conditions are met:

    • enable_pool_hba = off
    • One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap

  • Pattern 3: This vulnerability occurs when all of the following conditions are met:

    • Raw mode is used (backend_clustering_mode = 'raw')
    • The md5 authentication method is used in pool_hba.conf
    • allow_clear_text_frontend_auth = off
    • The user's password is registered in pool_passwd in plain text or AES format
    • One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap

All versions of Pgpool-II 4.0 and 4.1 series, 4.2.0 to 4.2.21, 4.3.0 to 4.3.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.6.0 are affected by this vulnerability. It is strongly recommended to upgrade to Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 or later. Alternatively, you can modify your settings so that they do not match any of the vulnerable configuration patterns.

Please take a look at release notes.

You can download the source code and RPMs.