Summary: | <dev-db/pgbouncer-1.5.3: DoS (CVE-2012-4575) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bugs, pgsql-bugs, proxy-maint, titanofold |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=872527 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-11-02 13:02:29 UTC
pgbouncer 1.5.3 includes a fix for this. See bug 419171. CVE-2012-4575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4575): The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request. *pgbouncer-1.5.4 (19 Jul 2013) 19 Jul 2013; Aaron W. Swenson <titanofold@gentoo.org> -pgbouncer-1.4.2.ebuild, -pgbouncer-1.5.ebuild, -pgbouncer-1.5.1.ebuild, -pgbouncer-1.5.2.ebuild, -pgbouncer-1.5.3.ebuild, -pgbouncer-1.5.3-r1.ebuild, +pgbouncer-1.5.4.ebuild, +files/logrotate, +files/pgbouncer.confd, +files/pgbouncer-dirs.patch, files/pgbouncer.initd, metadata.xml: Clean out old and insecure versions. Version bump. Fixes bugs 425480, 460310, 477062, and 425034. Hm, i am not sure, why this was ranked as 'B3', it seems that package has no stable version. Vulnerable versions are left the tree and no glsa required, closing as FIXED |