| From: | PgBouncer via PostgreSQL Announce <announce-noreply(at)postgresql(dot)org> |
|---|---|
| To: | PostgreSQL Announce <pgsql-announce(at)lists(dot)postgresql(dot)org> |
| Subject: | PgBouncer 1.25.1 released - Fixing a bunch of bugs before Christmas (including CVE-2025-12819) |
| Date: | 2025-12-03 22:17:29 |
| Message-ID: | 176480024948.2921403.17247771773846586825@wrigleys.postgresql.org |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-announce |
PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819:
Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:
1. `track_extra_parameters` includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)
2. `auth_user` is set to a non-empty string (non-default configuration)
3. `auth_query` is configured without fully-qualified object names (default configuration, the < operator is not schema q
This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.
See the full details in the [changelog](https://pgbouncer.org/changelog.html#pgbouncer-125x).
Download here:
[pgbouncer-1.25.1.tar.gz](https://pgbouncer.org/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz)
([sha256](https://pgbouncer.org/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz.sha256))
| From | Date | Subject | |
|---|---|---|---|
| Next Message | PoWA via PostgreSQL Announce | 2025-12-07 14:27:27 | powa-archivist 5.1.1 is out! |
| Previous Message | Microsoft Azure via PostgreSQL Announce | 2025-12-03 21:19:51 | Call for Proposals open for POSETTE: An Event for Postgres 2026! |