From https://bugzilla.redhat.com/show_bug.cgi?id=872527 : A denial of service flaw was found in the way pgbouncer, a lightweight connection pooler for PostgreSQL, performed processing of client requests attempting to add new database(s) with large name(s). A remote attacker could use this flaw to cause pooler server shutdown. Relevant upstream patch: [1] http://git.postgresql.org/gitweb/?p=pgbouncer.git;a=commitdiff;h=4b92112b820830b30cd7bc91bef3dd8f35305525 References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692103
pgbouncer 1.5.3 includes a fix for this. See bug 419171.
CVE-2012-4575 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4575): The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request.
*pgbouncer-1.5.4 (19 Jul 2013) 19 Jul 2013; Aaron W. Swenson <titanofold@gentoo.org> -pgbouncer-1.4.2.ebuild, -pgbouncer-1.5.ebuild, -pgbouncer-1.5.1.ebuild, -pgbouncer-1.5.2.ebuild, -pgbouncer-1.5.3.ebuild, -pgbouncer-1.5.3-r1.ebuild, +pgbouncer-1.5.4.ebuild, +files/logrotate, +files/pgbouncer.confd, +files/pgbouncer-dirs.patch, files/pgbouncer.initd, metadata.xml: Clean out old and insecure versions. Version bump. Fixes bugs 425480, 460310, 477062, and 425034.
Hm, i am not sure, why this was ranked as 'B3', it seems that package has no stable version.
Vulnerable versions are left the tree and no glsa required, closing as FIXED
