From ${URL} : PgBouncer, a lightweight connection pooler for PostgreSQL, fixed the following issue with the 1.5.5 release: > Fix remote crash - invalid packet order causes lookup of NULL > pointer. Not exploitable, just DoS. https://pgbouncer.github.io/2015/04/pgbouncer-1-5-5/ The issue was reported in https://github.com/pgbouncer/pgbouncer/issues/42 and fixed in master with https://github.com/pgbouncer/pgbouncer/commit/edab5be6665b9e8de66c25ba527509b229468573 and in the stable-1.5 branch with https://github.com/pgbouncer/pgbouncer/commit/74d6e5f7de5ec736f71204b7b422af7380c19ac5 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Pgbouncer-1.6.1 fixes CVE-2015-6817 [1] "authentication bypass". [1] - https://security-tracker.debian.org/tracker/CVE-2015-6817
(In reply to Marcin Mirosław from comment #1) > Pgbouncer-1.6.1 fixes CVE-2015-6817 [1] "authentication bypass". > > [1] - https://security-tracker.debian.org/tracker/CVE-2015-6817 That is a different Bug - This one is 2015-4054. It does not look like CVE-2015-6817 was filed. Maintainers is the stable version for this bug CVE-2015-4054 in tree?
Any stabilization effort should go into new sec bug 600184.
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201701-24 at https://security.gentoo.org/glsa/201701-24 by GLSA coordinator Aaron Bauman (b-man).