-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 May 2026 11:44:27 +0200
Source: pgbouncer
Binary: pgbouncer pgbouncer-dbgsym
Architecture: amd64
Version: 1.24.1-1+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: amd64 / i386 Build Daemon (x86-ubc-01) <buildd_amd64-x86-ubc-01@buildd.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
 pgbouncer  - lightweight connection pooler for PostgreSQL
Changes:
 pgbouncer (1.24.1-1+deb13u2) trixie; urgency=medium
 .
   * Security update.
       * Fix CVE-2026-6664: An integer overflow in network packet parsing code
         in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a
         crash. An unauthenticated remote attacker can crash PgBouncer with a
         malformed SCRAM authentication packet.
       * Fix CVE-2026-6665: The SCRAM code in PgBouncer before 1.25.2 did not
         check the return value of strlcat() correctly when building the
         contents of the SCRAM client-final-message. A malicious backend that
         sends a SCRAM server-final-message with a long nonce can trigger a
         stack overflow.
       * Fix CVE-2026-6666: A possible null pointer reference in PgBouncer
         before 1.25.2 could lead to a crash, if a server sends an error
         response without SQLSTATE field.
       * Fix CVE-2026-6667: PgBouncer before 1.25.2 did not perform an
         appropriate authorization check for the KILL_CLIENT admin command. All
         users with access to the administration console (which itself requires
         authorization) could run this command. It would have been correct to
         allow only users listed in the admin_users parameter.
Checksums-Sha1:
 a7ae4a6f9abd0dbcfd02fb83466d31694cf8b552 580592 pgbouncer-dbgsym_1.24.1-1+deb13u2_amd64.deb
 67559a6ae0d06e9e15a0ff83fb01011253c19e59 8836 pgbouncer_1.24.1-1+deb13u2_amd64-buildd.buildinfo
 255700ec30e316bfa89cbe55cb4df40866502adf 248496 pgbouncer_1.24.1-1+deb13u2_amd64.deb
Checksums-Sha256:
 6e2da17301f39e1ab1194db5e18689bad27d7cdfad8eed4eb2caf4b76860e9c4 580592 pgbouncer-dbgsym_1.24.1-1+deb13u2_amd64.deb
 01572d425c178b3cf95b506a74649226046aa9865ccb81089da0330825a28589 8836 pgbouncer_1.24.1-1+deb13u2_amd64-buildd.buildinfo
 19a7df742f9c664ac88d04c5327ed97266844fd900ea7ccf0d8f6ddf27eca0db 248496 pgbouncer_1.24.1-1+deb13u2_amd64.deb
Files:
 d69a2d28f92c01052f43d2d57172bf3f 580592 debug optional pgbouncer-dbgsym_1.24.1-1+deb13u2_amd64.deb
 86f37977dcc80d66f29d49b429b343e7 8836 database optional pgbouncer_1.24.1-1+deb13u2_amd64-buildd.buildinfo
 f4917f8c1f09cc01a44865b4e8b27c75 248496 database optional pgbouncer_1.24.1-1+deb13u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEmtr4KUMaso2EQ6NrTwt/65ON6zcFAmoAvBQACgkQTwt/65ON
6zfNyxAArnQoTV4YtQzLRfUn9HgLEjvI+wsC+R9xRgk0qG5l+zhJLeaLPAA2R9Nk
igbL0IhNC9sfFac90pRP+Y/AF1ApX2azKw4ytyZyd024208Sxgom8lS3HkH7pVl1
lL1wTQb3GUf7dfSfJgpidxv11wUeJCuQiHbOzQgQ1BA6C2T4ifyLJsrWGkOTlWIE
XII/BsoFsvzOo3vW9hQ9QmtvH2TxCXelKDlUdntpCoPbf+LVB38zE4nwTvAUfqQ+
8o5lzE+L8NkQ6aobaIhE63+EnS/jLfratayrF97KzUfHwViVtypvO3IweOInfqp1
7dGmThWK1hUgDCdtY1EhRvnvqywUMApstO5ZtA7ECx5RpRiuADADTovZ7p4OS2/i
qTNHGWoKcRaZKjn/RMeip2SpwgJI8rhwi41KCn0AE7/qKLhBC9Btcz9nkMraAa9v
Y53nYK9uN43VwAWAgwXNHB5/ZUX8ZdjlQexNfZEqffpyO1hs08h1lapGNcQjK6DC
8quPaP1FXsL5DiuLBY86g7wZI+UuJh3G0aMia3DQ/vmhiVy3YPZ317Af04BO7C5a
xi0BI6qYKNARd0ssYRk+VouI7wO3nDnKlUaa3wGEXeIj6zIlmV3FRzwTqat/F8z/
eYqHEIAucAAr1R1FcAe9sJM3AEQ5EcZYX6nI9YuXPu5qUKdbSok=
=5NLh
-----END PGP SIGNATURE-----