Debian alert DLA-3993-1 (pgpool2)
| From: | Abhijith PA <abhijith@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 3993-1] pgpool2 security update | |
| Date: | Fri, 13 Dec 2024 09:00:00 +0530 | |
| Message-ID: | <Z1uqOIwIIN6FV9si@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3993-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA December 12, 2024 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : pgpool2 Version : 4.1.4-3+deb11u1 CVE ID : CVE-2023-22332 CVE-2024-45624 Two vulnerabilities were discovered in pgpool2, a connection pool server and replication proxy for PostgreSQL. CVE-2023-22332 A specific database user's authentication information may be obtained by another database user. As a result, the information stored in the database may be altered and/or database may be suspended by a remote attacker who successfully logged in the product with the obtained credentials. CVE-2024-45624 When the query cache feature is enabled, it was possible that a database user can read rows from tables that should not be visible for the user through query cache. For Debian 11 bullseye, these problems have been fixed in version 4.1.4-3+deb11u1. We recommend that you upgrade your pgpool2 packages. For the detailed security status of pgpool2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pgpool2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmdbqjcACgkQhj1N8u2c KO92Aw//enNrRau86qHZKR1rFSVbQhy9EBckpcKSjgaZkI9oDYUb3oLMlqZSMMk0 qxBj3luJe0oC1BO8XBWdGi9RffdxrzCZdicmuo+l/gVQims3Zv5PUlETyZfxvBU3 UvvY1tBRL3tGpbxSkMWS1Bt9Q3qE/kXD0iIQvg2LPSBhpNTpeskOUUvXeJjpONi4 PzILPc8021X+5QnRd2MWARYl2vGQHrb1Y/soN2ATY6DiPdI4NfzNHzIijD+mnAUS goWnvuY8z9t817+59rUKz3AqLBvGaaVP9L3IygYdonx84ifoLAotB2wiYrE6Vv0q iAMNxt/9MkAOJHVYVfWHRRdC7KRYuKBIgf4vgUtOChc2DJtkZ/+DpH35VF3DEROW fVRS5o0v8xGAI76lO2w16lumptDHYo7TpefG8EtcbqC1WJwRVjawGvrz5rYF+B+V dAEq/BOp6maXxJ/2ZKl36ULjyWs6Uri9UMXYH0FBm5vEl5tBG7OL/FQAUvOpF508 7HJ2+BqeQ6ztqoWD/B84+N1r/pa6ggQQ0Ama2vGaQ4AQyZACzvQ6fzYEsXQAxAnj bAUL19SNBDdqoHdeAtCG5ak2ZXA3WDv/YiRlrTo3l2//BS6E7zX/nASTvlvnDAdX BoxBSY0VvQ9fl6FMDS/XNKt6/cYrgkNpFCCGcIPQ4kg4rBmBmdQ= =SKE/ -----END PGP SIGNATURE-----