-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 May 2026 11:44:27 +0200
Source: pgbouncer
Binary: pgbouncer pgbouncer-dbgsym
Architecture: riscv64
Version: 1.24.1-1+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: riscv64 Build Daemon (rv-osuosl-03) <buildd_riscv64-rv-osuosl-03@buildd.debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
 pgbouncer  - lightweight connection pooler for PostgreSQL
Changes:
 pgbouncer (1.24.1-1+deb13u2) trixie; urgency=medium
 .
   * Security update.
       * Fix CVE-2026-6664: An integer overflow in network packet parsing code
         in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a
         crash. An unauthenticated remote attacker can crash PgBouncer with a
         malformed SCRAM authentication packet.
       * Fix CVE-2026-6665: The SCRAM code in PgBouncer before 1.25.2 did not
         check the return value of strlcat() correctly when building the
         contents of the SCRAM client-final-message. A malicious backend that
         sends a SCRAM server-final-message with a long nonce can trigger a
         stack overflow.
       * Fix CVE-2026-6666: A possible null pointer reference in PgBouncer
         before 1.25.2 could lead to a crash, if a server sends an error
         response without SQLSTATE field.
       * Fix CVE-2026-6667: PgBouncer before 1.25.2 did not perform an
         appropriate authorization check for the KILL_CLIENT admin command. All
         users with access to the administration console (which itself requires
         authorization) could run this command. It would have been correct to
         allow only users listed in the admin_users parameter.
Checksums-Sha1:
 2f3076ca484e5a436e3d2ad6b5fe1baa2cf5ab74 542756 pgbouncer-dbgsym_1.24.1-1+deb13u2_riscv64.deb
 47627ef7d0fb69eaf1ffe64d06c4f3fb7aa46586 8697 pgbouncer_1.24.1-1+deb13u2_riscv64-buildd.buildinfo
 58c7763bd6305b8c4686ddec08fdc4547814513b 259328 pgbouncer_1.24.1-1+deb13u2_riscv64.deb
Checksums-Sha256:
 b5c5bececa87c64a9aaef5f317cd5d2aa5f8c55e51c7bbedf1fb76ed4d461451 542756 pgbouncer-dbgsym_1.24.1-1+deb13u2_riscv64.deb
 d4babb1f4f07256365eefd59790a2b961dd6325880805a5672e269902fe68504 8697 pgbouncer_1.24.1-1+deb13u2_riscv64-buildd.buildinfo
 421110db6e9c1af458bf46dffc1472fce832328e883f6993500b78df64cd5d09 259328 pgbouncer_1.24.1-1+deb13u2_riscv64.deb
Files:
 76d425cfc07c7a1fcc07425d41b5646c 542756 debug optional pgbouncer-dbgsym_1.24.1-1+deb13u2_riscv64.deb
 13c94ab9cc26206f4d50fc1f3f693868 8697 database optional pgbouncer_1.24.1-1+deb13u2_riscv64-buildd.buildinfo
 246dfbe7e15d65d6bd44183e3fb9ba17 259328 database optional pgbouncer_1.24.1-1+deb13u2_riscv64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExv8RwtKAmv8J56r/6ETk30hvxtkFAmoAvjEACgkQ6ETk30hv
xtnrig/+JvwaAF51tEP0Q7pJ0zjIgt/08kVb9Oz5etU6v6d+8to75MSUvoYlb8uq
mshtV+ftvmp3vA07Y+UN5bXqIb10VFj1KoM6P5ZA6unBQWnVKOvZ1+UUNGj/EKOX
O/Ad1mH1As6YcZTJweXofl9fhpBxmDEFooq7uHGQjB086SAdS6kp60QooiOQIbGO
B6G2mji/9VzEmjvzXc6YZwOzHJtUbkwQfVMX6SsbAFfZW01tsAAcd2BnwrExzswy
l/SMGVcopCbt3NR7pTRXG4G5SFybuw6p5girM3HtWUFV6kx4J58Esj9YHsbJgO6t
hg4jQkRW8DDWHGyGRnYjgNBkx0uDSoxdtLuYy27KuuKG2+sx1ST3N8E/BHD9pYjO
sCS/CLY5bUCknIm9tmc3HG7Dw3ARIqjUJxJ21vJInhVuvn/DxFgw82hXbIg1U+jS
k+7BMqFpumN2FpwJn+lWi8AdNuw6ygM/3iX+UrddvJwzhEAXbG03KKg16Fr45KOH
ACJwOHWnSCLFmu7QNDj6/JegxaBYXcDQBwBTFEaDwzzJgC42XQZTQ1uDYcRQxYlS
89WIyzy5HjmU5Hb1eQMDf48G+bBkbZgcitTxReTKp9KBzksGm4OrCiEZAnRxQoA/
6HEafXRXwpcapOm4c9d9ZWwDhnxKoDzt9w6+NNWY468Qm6G54lY=
=yFm2
-----END PGP SIGNATURE-----