-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 20 Dec 2025 13:52:56 +0100 Source: pgbouncer Binary: pgbouncer pgbouncer-dbgsym Architecture: amd64 Version: 1.24.1-1+deb13u1 Distribution: trixie Urgency: medium Maintainer: amd64 / i386 Build Daemon (x86-csail-01) Changed-By: Andreas Henriksson Description: pgbouncer - lightweight connection pooler for PostgreSQL Changes: pgbouncer (1.24.1-1+deb13u1) trixie; urgency=medium . * Non-maintainer upload by the Debian LTS Security Team. * CVE-2025-12819: execute arbitrary SQL during authentication. Untrusted search path in auth_query connection handler in PgBouncer before 1.25.1 allows an unauthenticated attacker to execute arbitrary SQL during authentication via a malicious search_path parameter in the StartupMessage. Checksums-Sha1: dfb099a57033633181d0de21ab0a77a249f9e3ad 580268 pgbouncer-dbgsym_1.24.1-1+deb13u1_amd64.deb bbaa3fbdd27eb7cf71b7008289c167550f6f5362 8768 pgbouncer_1.24.1-1+deb13u1_amd64-buildd.buildinfo 860498b22ff27fc89631f1029b9047db7de096a0 247828 pgbouncer_1.24.1-1+deb13u1_amd64.deb Checksums-Sha256: eb7ea14e6c25d4f3eb64263b07f72fdc9b9baccb908540b827436a5d87acbeec 580268 pgbouncer-dbgsym_1.24.1-1+deb13u1_amd64.deb 283830dd56b31c8617513b6a5ba51a84a5778f26e3405ff3e9ce5c6c33475f94 8768 pgbouncer_1.24.1-1+deb13u1_amd64-buildd.buildinfo d4a0df8547b566b16f19fff2c0bd63a63c87796dcc2c46268a5e2473a4b57637 247828 pgbouncer_1.24.1-1+deb13u1_amd64.deb Files: 982d8af7135ecc1bc4d608853eda5639 580268 debug optional pgbouncer-dbgsym_1.24.1-1+deb13u1_amd64.deb fc16114750161af2f5033113941631ac 8768 database optional pgbouncer_1.24.1-1+deb13u1_amd64-buildd.buildinfo 5a6bf389e9278cb066b044a1ce6bc045 247828 database optional pgbouncer_1.24.1-1+deb13u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXNeYFUF3FbHcrtSeIy3Pg040HrAFAmlW9JMACgkQIy3Pg040 HrBTNg/8DntYxcayXnNzf+RtwYt4q+tpQZ8q9Mjdc/QD8Z9a2l04AHt2JtlfHg8+ Xbl7wAHzKXVZQd7LhLYlaGj5tLOTeDvaDjdKd4sYvZDGQgoKZiXgIgRW+P371eto IBTCOogvjMDhqPaVKL84CMOLKrq4frw/9XeqP/VXHfG8p/GTLNvW2ddG09nhay5N J3igm3SzJUuLp7qUPZPgHPPMwcqq/0ko2zpXX4ovF+qklbC3IBXBPk+PgziFB4j9 QYrd/5biKEXcI6lt+DOD175zDDlMypQFKB1MzZgetiMdCtk+LjVHWWPS3XvUqzg8 iPKL5TUgSMvVDPb2jw3y3GE2/asmy+E/dbsfLQk9PZ2vvS1IR1t+z4XPHBwX6zc1 P2LmE7nSZvmp1/L5W/hieUcd8E/e7t/R7MC4LOGUM3/JKUm3GGrk8zqgMSP2b+V1 zv45Z1QmwKNi5410n3XH4G9whXmRVK2LLNLfswHESUOOoiZbPqttbGaK0NaX1tPR TtHNKEBajap7O5AnvtAv/NBO8hxfFXAFhDv5Gc37CGcFbq4UaNBnyqvuSSN2fkSJ YttVRJuNV8rNsBe3D2NbX1TbMKFAlBs6w/cZphJCmXX4K9mx06J7tuW/eJG6EG3a 41zurDNRJdyp0v5Gq1F4GNBUpmvkyAt0O0SGDD0tKJOJwKF+to4= =Nfmd -----END PGP SIGNATURE-----