-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 May 2026 11:44:27 +0200
Source: pgbouncer
Binary: pgbouncer pgbouncer-dbgsym
Architecture: arm64
Version: 1.24.1-1+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: arm64 Build Daemon (arm-ubc-02) <buildd_arm64-arm-ubc-02@buildd.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
 pgbouncer  - lightweight connection pooler for PostgreSQL
Changes:
 pgbouncer (1.24.1-1+deb13u2) trixie; urgency=medium
 .
   * Security update.
       * Fix CVE-2026-6664: An integer overflow in network packet parsing code
         in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a
         crash. An unauthenticated remote attacker can crash PgBouncer with a
         malformed SCRAM authentication packet.
       * Fix CVE-2026-6665: The SCRAM code in PgBouncer before 1.25.2 did not
         check the return value of strlcat() correctly when building the
         contents of the SCRAM client-final-message. A malicious backend that
         sends a SCRAM server-final-message with a long nonce can trigger a
         stack overflow.
       * Fix CVE-2026-6666: A possible null pointer reference in PgBouncer
         before 1.25.2 could lead to a crash, if a server sends an error
         response without SQLSTATE field.
       * Fix CVE-2026-6667: PgBouncer before 1.25.2 did not perform an
         appropriate authorization check for the KILL_CLIENT admin command. All
         users with access to the administration console (which itself requires
         authorization) could run this command. It would have been correct to
         allow only users listed in the admin_users parameter.
Checksums-Sha1:
 095099f6056b30f6e862c11e488d27116a9f5345 570712 pgbouncer-dbgsym_1.24.1-1+deb13u2_arm64.deb
 22762c31d1d4b4010fc89a2ec79ac9c1d7214802 8823 pgbouncer_1.24.1-1+deb13u2_arm64-buildd.buildinfo
 a3d516756f0a667da65bee75a66abb2e58ba0478 237936 pgbouncer_1.24.1-1+deb13u2_arm64.deb
Checksums-Sha256:
 d0e148f22b4c7cdf050a46b149a4ea59b04fb95fecec9488cee27e93eaabae28 570712 pgbouncer-dbgsym_1.24.1-1+deb13u2_arm64.deb
 5f9158b67119c840770bbaa704cdb9921b175a3ab0b4b63900c1a9d7db4f5ae8 8823 pgbouncer_1.24.1-1+deb13u2_arm64-buildd.buildinfo
 ef9766fe9c0bdfd358db8691611f6f040e24c75faae8b46672e9ad79589e8eb6 237936 pgbouncer_1.24.1-1+deb13u2_arm64.deb
Files:
 00aa62e60fd6cd4e015374f4b5abc11f 570712 debug optional pgbouncer-dbgsym_1.24.1-1+deb13u2_arm64.deb
 091ffe0d160d3a79847acf866f437736 8823 database optional pgbouncer_1.24.1-1+deb13u2_arm64-buildd.buildinfo
 37b558599ca1c57c6a96ee9121cbe905 237936 database optional pgbouncer_1.24.1-1+deb13u2_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJkN0BnKzGWWW6tS+G5VHrWJmwgcFAmoAvBMACgkQG5VHrWJm
wge08A//Z+Rj7H+ZOKBNmretoNr7eZvfTvYJJS9vrx/hHz4Jt/Wv1xO2ARsk+1O6
BDiOlY1A7MDKinK9dm2nzRQEXJ+7a1XmgqruqzzE5j/JJn20JoKnjZWVhJ+s0ddW
n4xTRsnrs56grtkbtDttEo5Obizr4ftOe8hoRD51LwfJsImRGM5mXVmtToYtOjyk
4TcipJLeT0eTUp0sv83V9VPeCAXplQl42VTTCKiW1STmiPuEAl+a/IcnGZXJ3pDn
v5vCFpMhHDjAbLRUkrTzuPllLK9THeRzk4tqF25yJqmYPeFZWZjfERRCHLpgkGg0
vA1dKDf2QNplzxDEobwXvo0mW0+sKYo1RPHhBwNAgrgNjO1cpH9H6PlY/czRCztI
O0Q/fFqQ/f9/olqo0lQC/dgUMsuwV/grx7l6skty226EI/0mrVifWS96IN6xxBt7
gf41ytvTG230BaSPT5mApRQsQcpFIbcHBCYnr0k03f+1kSnUgYynU69DwiB5Ktz9
oWE+mrnKZK52ZRnaTJUWz/QCZSnqPN21GIQLXfWIXiU/UOQ150AaEukwyY2nQHEn
kDWvjZ6+9GZK4C+jVrpvyiyAQsLkcOFJ/RXYo1p7V1VEyV4qW9sUSp1YhyXSevzI
tYxn/E5G8/C8I00+x04IfWfWwOBKa0vFJtmgnLrY2zSKbQcdmlI=
=DZl3
-----END PGP SIGNATURE-----