Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600184 (CVE-2015-6817) - <dev-db/pgbouncer-1.7.2: failed auth_query lookup leads to connection as auth_user (CVE-2015-6817)
Summary: <dev-db/pgbouncer-1.7.2: failed auth_query lookup leads to connection as auth...
Status: RESOLVED FIXED
Alias: CVE-2015-6817
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-4054
  Show dependency tree
 
Reported: 2016-11-18 18:09 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-11 12:25 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:09:27 UTC 
New auth_user functionality introduced in 1.6 allows login as auth_user when client presents unknown username. It’s quite likely auth_user is superuser. Affects only setups that have enabled auth_user in their config.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:11:59 UTC 
A fixed version is already in tree.

@ maintainer(s): Please tell us how to proceed. Is =dev-db/pgbouncer-1.7.2 ready for stabilization?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 01:18:24 UTC 
@ Arches,

please test and mark stable: =dev-db/pgbouncer-1.7.2
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-29 11:23:13 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-29 11:24:15 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-01-02 07:34:25 UTC 
please clean or mask the vulnerable versions.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 22:55:25 UTC 
Cleanup PR: https://github.com/gentoo/gentoo/pull/3388
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 13:31:34 UTC 
Cleanup via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21d4894c33d001a22513bb5ff7d4fae54fc41c6c

New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:25:32 UTC 
This issue was resolved and addressed in
 GLSA 201701-24 at https://security.gentoo.org/glsa/201701-24
by GLSA coordinator Aaron Bauman (b-man).