New auth_user functionality introduced in 1.6 allows login as auth_user when client presents unknown username. Itβs quite likely auth_user is superuser. Affects only setups that have enabled auth_user in their config.
A fixed version is already in tree. @ maintainer(s): Please tell us how to proceed. Is =dev-db/pgbouncer-1.7.2 ready for stabilization?
@ Arches, please test and mark stable: =dev-db/pgbouncer-1.7.2
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
please clean or mask the vulnerable versions.
Cleanup PR: https://github.com/gentoo/gentoo/pull/3388
Cleanup via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21d4894c33d001a22513bb5ff7d4fae54fc41c6c New GLSA request filed.
This issue was resolved and addressed in GLSA 201701-24 at https://security.gentoo.org/glsa/201701-24 by GLSA coordinator Aaron Bauman (b-man).