https://pgbouncer.github.io/2015/04/pgbouncer-1-5-5/
Hi, Thanks for letting me know. But I do not see any patches attached. As far I can understand the vulnerability does not allow remote code execution. So for now I suggest you to block incoming connections from not trusted hosts via firewall (that is good practice in a any case). Regarding the update I will take a look when have some time. Thanks.
Created attachment 157597 [details] security/vuxml entry for pgbouncer CVE-2015-4054 Document pgbouncer remote denial of service We should document this while we are pressing on with the update. Entry attached for the documentation. Reference the release page of Github for the blockquote text, the mailing list post for the CVE info, and this PR number for details on tracking the progress. Set the discovery date to when the fix was committed on Github.
Created attachment 157598 [details] security/vuxml entry for pgbouncer CVE-2015-4054 Document pgbouncer remote denial of service Sorry, wrap text properly this time... Also validation info follows: # make validate /bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy" >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml >>> Successful. Checking if tidy differs... ... seems okay Checking for space/tab... ... seems okay /usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.4 pgbouncer-1.5.4 is vulnerable: pgbouncer -- remote denial of service CVE: CVE-2015-4054 WWW: http://vuxml.FreeBSD.org/freebsd/8fbd4187-0f18-11e5-b6a8-002590263bf5.html 1 problem(s) in the installed packages found. # env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.5 0 problem(s) in the installed packages found.
@Maintainer & ports-secteam Attachment 157597 [details] (VuXML change) can be committed independently and prior to a pending patch to port. (needs-patch)
A commit references this bug: Author: delphij Date: Wed Jun 10 17:34:22 UTC 2015 New revision: 389105 URL: https://svnweb.freebsd.org/changeset/ports/389105 Log: Document pgbouncer remote denial of service vulnerability. PR: 200537 Submitted by: Jason Unovitch Changes: head/security/vuxml/vuln.xml
Created attachment 157620 [details] Proposed patch Note that upstream moved to github. I've inspected the new tarball and found the changes legitimate.
Thanks for your work! The patch seems ok for me
A commit references this bug: Author: delphij Date: Wed Jun 10 20:28:56 UTC 2015 New revision: 389143 URL: https://svnweb.freebsd.org/changeset/ports/389143 Log: Security update to 1.5.5, while there also move the upstream to github. PR: 200537 Approved by: maintainer MFH: 2015Q2 (test) Changes: head/databases/pgbouncer/Makefile head/databases/pgbouncer/distinfo head/databases/pgbouncer/pkg-descr
Got maintainer approval and fix committed.
A commit references this bug: Author: delphij Date: Wed Jun 10 20:29:40 UTC 2015 New revision: 389144 URL: https://svnweb.freebsd.org/changeset/ports/389144 Log: MFH: r389143 Security update to 1.5.5, while there also move the upstream to github. PR: 200537 Approved by: ports-secteam Changes: _U branches/2015Q2/ branches/2015Q2/databases/pgbouncer/Makefile branches/2015Q2/databases/pgbouncer/distinfo branches/2015Q2/databases/pgbouncer/pkg-descr
Hrm commit hook didn't like my change of state but do it again.