| From: | PgBouncer via PostgreSQL Announce <announce-noreply(at)postgresql(dot)org> |
|---|---|
| To: | PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org> |
| Subject: | PgBouncer 1.24.1 released - Fixes CVE-2025-2291 |
| Date: | 2025-04-21 13:48:03 |
| Message-ID: | 174524328396.676.264806485191433910@wrigleys.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-announce |
PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which
could allow an attacker to bypass Postgres its password expiry. Such a password
expiry would have been set up in Postgres using the `VALID UNTIL` clause. This
is a security issue that affects all versions of PgBouncer. If you use both
`VALID UNTIL` and `auth_user` then you should upgrade, or change the
`auth_query` in your config file to the new `auth_query` that is used by
default in this release. If you are using a custom `auth_query` then you should
update it be similar to the new default `auth_query` in this release.
This release also fixes PAM authentication by reverting support for `pam` in
the HBA file. PAM authentication was accidentally broken in 1.24.0.
See [https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1](https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1) for more information, the detailed changelog, and download links.
PgBouncer is a lightweight connection pooler for PostgreSQL.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pigsty via PostgreSQL Announce | 2025-04-21 14:12:00 | Pigsty v3.4 Released, PG RDS with MySQL Compatibility |
| Previous Message | Microsoft Azure via PostgreSQL Announce | 2025-04-16 21:55:46 | The Schedule is out for POSETTE: An Event for Postgres 2025! |