Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550124 (CVE-2015-4054) - <dev-db/pgbouncer-1.5.5: DoS/remote crash: invalid packet order causes lookup of NULL pointer (CVE-2015-4054)
Summary: <dev-db/pgbouncer-1.5.5: DoS/remote crash: invalid packet order causes lookup...
Alias: CVE-2015-4054
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa cve]
Depends on: CVE-2015-6817
  Show dependency tree
Reported: 2015-05-22 07:13 UTC by Agostino Sarubbo
Modified: 2017-01-11 12:25 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-22 07:13:50 UTC
From ${URL} :

PgBouncer, a lightweight connection pooler for PostgreSQL, fixed the
following issue with the 1.5.5 release:

> Fix remote crash - invalid packet order causes lookup of NULL
> pointer. Not exploitable, just DoS.

The issue was reported in and fixed in master
and in the stable-1.5 branch with

@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Marcin Mirosław 2016-09-14 09:33:28 UTC
Pgbouncer-1.6.1 fixes CVE-2015-6817 [1] "authentication bypass".

[1] -
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2016-09-16 21:33:23 UTC
(In reply to Marcin Mirosław from comment #1)
> Pgbouncer-1.6.1 fixes CVE-2015-6817 [1] "authentication bypass".
> [1] -

That is a different Bug - This one is 2015-4054. It does not look like CVE-2015-6817 was filed.

Maintainers is the stable version for this bug CVE-2015-4054 in tree?
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:14:12 UTC
Any stabilization effort should go into new sec bug 600184.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 13:31:14 UTC
Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:25:25 UTC
This issue was resolved and addressed in
 GLSA 201701-24 at
by GLSA coordinator Aaron Bauman (b-man).