Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN251

_____________________________________________________________________

DATE                : 23/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running PgBouncer versions prior to
                                        1.24.1.

=====================================================================
https://www.postgresql.org/about/news/pgbouncer-1241-released-fixes-cve-2025-2291-3059/
_____________________________________________________________________

PgBouncer 1.24.1 released - Fixes CVE-2025-2291
Posted on 2025-04-21 by PgBouncer
Related Open Source Security

PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291,
which could allow an attacker to bypass Postgres its password expiry.
Such a password expiry would have been set up in Postgres using the
VALID UNTIL clause. This is a security issue that affects all
versions of PgBouncer. If you use both VALID UNTIL and auth_user
then you should upgrade, or change the auth_query in your config
file to the new auth_query that is used by default in this release.
If you are using a custom auth_query then you should update it be
similar to the new default auth_query in this release.

This release also fixes PAM authentication by reverting support
for pam in the HBA file. PAM authentication was accidentally
broken in 1.24.0.

See https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1 for more
information, the detailed changelog, and download links.

PgBouncer is a lightweight connection pooler for PostgreSQL.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================