Bug 200537

Hi,
Thanks for letting me know. But I do not see any patches attached. 
As far I can understand the vulnerability does not allow remote code execution.
So for now I suggest you to block incoming connections from not trusted hosts via firewall (that is good practice in a any case).

Regarding the update I will take a look when have some time. Thanks.

Comment 2 Jason Unovitch 2015-06-10 02:45:36 UTC

Created attachment 157597 [details]
security/vuxml entry for pgbouncer CVE-2015-4054

Document pgbouncer remote denial of service

We should document this while we are pressing on with the update.  Entry attached for the documentation.  Reference the release page of Github for the blockquote text, the mailing list post for the CVE info, and this PR number for details on tracking the progress.  Set the discovery date to when the fix was committed on Github.

Comment 3 Jason Unovitch 2015-06-10 02:49:58 UTC

Created attachment 157598 [details]
security/vuxml entry for pgbouncer CVE-2015-4054

Document pgbouncer remote denial of service

Sorry, wrap text properly this time... Also validation info follows:

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.4
pgbouncer-1.5.4 is vulnerable:
pgbouncer -- remote denial of service
CVE: CVE-2015-4054
WWW: http://vuxml.FreeBSD.org/freebsd/8fbd4187-0f18-11e5-b6a8-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.5
0 problem(s) in the installed packages found.

Comment 4 Kubilay Kocak 2015-06-10 02:51:37 UTC

@Maintainer & ports-secteam

Attachment 157597 [details] (VuXML change) can be committed independently and prior to 
a pending patch to port. (needs-patch)

Comment 5 commit-hook 2015-06-10 17:34:41 UTC

A commit references this bug:

Author: delphij
Date: Wed Jun 10 17:34:22 UTC 2015
New revision: 389105
URL: https://svnweb.freebsd.org/changeset/ports/389105

Log:
  Document pgbouncer remote denial of service vulnerability.

  PR:		200537
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml

Comment 6 Xin LI 2015-06-10 18:00:45 UTC

Created attachment 157620 [details]
Proposed patch

Note that upstream moved to github.  I've inspected the new tarball and found the changes legitimate.

Thanks for your work!
The patch seems ok for me

Comment 8 commit-hook 2015-06-10 20:29:02 UTC

A commit references this bug:

Author: delphij
Date: Wed Jun 10 20:28:56 UTC 2015
New revision: 389143
URL: https://svnweb.freebsd.org/changeset/ports/389143

Log:
  Security update to 1.5.5, while there also move the
  upstream to github.

  PR:		200537
  Approved by:	maintainer
  MFH:		2015Q2 (test)

Changes:
  head/databases/pgbouncer/Makefile
  head/databases/pgbouncer/distinfo
  head/databases/pgbouncer/pkg-descr

Comment 9 Xin LI 2015-06-10 20:30:03 UTC

Got maintainer approval and fix committed.

Comment 10 commit-hook 2015-06-10 20:30:04 UTC

A commit references this bug:

Author: delphij
Date: Wed Jun 10 20:29:40 UTC 2015
New revision: 389144
URL: https://svnweb.freebsd.org/changeset/ports/389144

Log:
  MFH: r389143

  Security update to 1.5.5, while there also move the
  upstream to github.

  PR:		200537
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/databases/pgbouncer/Makefile
  branches/2015Q2/databases/pgbouncer/distinfo
  branches/2015Q2/databases/pgbouncer/pkg-descr

Comment 11 Xin LI 2015-06-10 20:31:48 UTC

Hrm commit hook didn't like my change of state but do it again.