EDB PgBouncer 1.16.0.0 release notes v1

Released: 11 Dec 2021

EDB PgBouncer 1.16.1.0 includes the following upstream merge and security fix:

Type	Description
Upstream merge	Merged with community PgBouncer 1.16.1.0. See the community Release Notes for details.
Security fix	Make PgBouncer acting as a server reject extraneous data after an SSL or GSS encryption handshake. A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if PgBouncer did not demand any authentication data. However, a PgBouncer setup relying on SSL certificate authentication might well not do so.

Type

Description

Upstream merge

Merged with community PgBouncer 1.16.1.0. See the community Release Notes for details.

Security fix

Make PgBouncer acting as a server reject extraneous data after an SSL or GSS encryption handshake.

A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if PgBouncer did not demand any authentication data. However, a PgBouncer setup relying on SSL certificate authentication might well not do so.

← Prev

EDB PgBouncer 1.17.0.0 release notes

EDB PgBouncer 1.16.0.1 release notes

EDB PgBouncer 1.16.0.0 release notes v1

← Prev

Next →