|
|
Subscribe / Log in / New account

Arch Linux alert ASA-201505-16 (pgbouncer)



From:
    	      Levente Polyak <anthraxx@archlinux.org> 


To:
    	      arch-security@archlinux.org 


Subject:
    	      [arch-security] [ASA-201505-16] pgbouncer: denial of service 


Date:
    	      Tue, 26 May 2015 03:08:55 +0200


Message-ID:
    	      <5563C7A7.8060503@archlinux.org>


Arch Linux Security Advisory ASA-201505-16
==========================================

Severity: Medium
Date    : 2015-05-26
CVE-ID  : CVE-2015-4054
Package : pgbouncer
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package pgbouncer before version 1.5.5-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 1.5.5-1.

# pacman -Syu "pgbouncer>=1.5.5-1"

The problem has been fixed upstream in version 1.5.5.

Workaround
==========

None.

Description
===========

A remote denial of service vulnerability in check_client_passwd() has
been discovered. The issue is triggered if a password packet appears
before the startup packet. In such case a null pointer is dereferenced
that is leading to application crash.

Impact
======

A remote attacker is able to send specially crafted packets that is
leading to application crash resulting in denial of service.

References
==========

http://www.openwall.com/lists/oss-security/2015/05/21/2
https://access.redhat.com/security/cve/CVE-2015-4054
https://github.com/pgbouncer/pgbouncer/issues/42
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds