Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600184 (CVE-2015-6817) - <dev-db/pgbouncer-1.7.2: failed auth_query lookup leads to connection as auth_user (CVE-2015-6817)
Summary: <dev-db/pgbouncer-1.7.2: failed auth_query lookup leads to connection as auth...
Alias: CVE-2015-6817
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa cve]
Depends on:
Blocks: CVE-2015-4054
  Show dependency tree
Reported: 2016-11-18 18:09 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-11 12:25 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:09:27 UTC
New auth_user functionality introduced in 1.6 allows login as auth_user when client presents unknown username. It’s quite likely auth_user is superuser. Affects only setups that have enabled auth_user in their config.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-18 18:11:59 UTC
A fixed version is already in tree.

@ maintainer(s): Please tell us how to proceed. Is =dev-db/pgbouncer-1.7.2 ready for stabilization?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 01:18:24 UTC
@ Arches,

please test and mark stable: =dev-db/pgbouncer-1.7.2
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-29 11:23:13 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-29 11:24:15 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-01-02 07:34:25 UTC
please clean or mask the vulnerable versions.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-08 22:55:25 UTC
Cleanup PR:
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 13:31:34 UTC
Cleanup via

New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:25:32 UTC
This issue was resolved and addressed in
 GLSA 201701-24 at
by GLSA coordinator Aaron Bauman (b-man).