[Pkg-postgresql-public] pgbouncer DoS fix
Christoph Berg
myon at debian.org
Sat May 23 20:55:06 UTC 2015
Re: Salvatore Bonaccorso 2015-05-22 <20150522183344.GA1211 at eldamar.local>
> Hi Christoph,
>
> On Wed, May 20, 2015 at 10:51:32PM +0200, Christoph Berg wrote:
> > Hi,
> >
> > there's a new pgbouncer release out that fixes a DoS. The effective
> > change is:
> >
> > --- pgbouncer-1.5.4/NEWS 2012-11-28 14:06:30.000000000 +0100
> > +++ pgbouncer-1.5.5/NEWS 2015-04-09 16:07:52.000000000 +0200
> > @@ -1,3 +1,10 @@
> > +2015-04-09 - PgBouncer 1.5.5 - "Play Dead To Win"
> > +
> > + = Fixes =
> > +
> > + * Fix remote crash - invalid packet order causes lookup of NULL
> > + pointer. Not exploitable, just DoS.
>
> This has been assigned CVE-2015-4054 now[0]. Given the explanation you
> gave me on the usecase I think it would be safe to schedule this
> through a (old)stable proposed-update. Could you contact the release
> team to have it updated for jessie and wheezy?
>
> [0] http://www.openwall.com/lists/oss-security/2015/05/22/5
Hi Salvatore,
ok, will do. Thanks for the assignment!
Christoph
--
cb at df7cb.de | http://www.df7cb.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-postgresql-public/attachments/20150523/9fdda6bf/attachment.sig>
More information about the Pkg-postgresql-public
mailing list