Bug 200537 - databases/pgbouncer: Security vulnerability (CVE-2015-4054)
Summary: databases/pgbouncer: Security vulnerability (CVE-2015-4054)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Xin LI
URL:
Keywords: patch, security
Depends on: 200773
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-30 17:25 UTC by Sevan Janiyan
Modified: 2016-08-23 04:41 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback+


Attachments
security/vuxml entry for pgbouncer CVE-2015-4054 (1.25 KB, patch)
2015-06-10 02:45 UTC, Jason Unovitch
no flags Details | Diff
security/vuxml entry for pgbouncer CVE-2015-4054 (1.26 KB, patch)
2015-06-10 02:49 UTC, Jason Unovitch
no flags Details | Diff
Proposed patch (1.49 KB, patch)
2015-06-10 18:00 UTC, Xin LI
delphij: maintainer-approval? (m.tsatsenko)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 m.tsatsenko 2015-05-30 20:52:36 UTC
Hi,
Thanks for letting me know. But I do not see any patches attached. 
As far I can understand the vulnerability does not allow remote code execution.
So for now I suggest you to block incoming connections from not trusted hosts via firewall (that is good practice in a any case).

Regarding the update I will take a look when have some time. Thanks.
Comment 2 Jason Unovitch freebsd_committer 2015-06-10 02:45:36 UTC
Created attachment 157597 [details]
security/vuxml entry for pgbouncer CVE-2015-4054

Document pgbouncer remote denial of service

We should document this while we are pressing on with the update.  Entry attached for the documentation.  Reference the release page of Github for the blockquote text, the mailing list post for the CVE info, and this PR number for details on tracking the progress.  Set the discovery date to when the fix was committed on Github.
Comment 3 Jason Unovitch freebsd_committer 2015-06-10 02:49:58 UTC
Created attachment 157598 [details]
security/vuxml entry for pgbouncer CVE-2015-4054

Document pgbouncer remote denial of service

Sorry, wrap text properly this time... Also validation info follows:

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.4
pgbouncer-1.5.4 is vulnerable:
pgbouncer -- remote denial of service
CVE: CVE-2015-4054
WWW: http://vuxml.FreeBSD.org/freebsd/8fbd4187-0f18-11e5-b6a8-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit pgbouncer-1.5.5
0 problem(s) in the installed packages found.
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-10 02:51:37 UTC
@Maintainer & ports-secteam

Attachment 157597 [details] (VuXML change) can be committed independently and prior to 
a pending patch to port. (needs-patch)
Comment 5 commit-hook freebsd_committer 2015-06-10 17:34:41 UTC
A commit references this bug:

Author: delphij
Date: Wed Jun 10 17:34:22 UTC 2015
New revision: 389105
URL: https://svnweb.freebsd.org/changeset/ports/389105

Log:
  Document pgbouncer remote denial of service vulnerability.

  PR:		200537
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 6 Xin LI freebsd_committer 2015-06-10 18:00:45 UTC
Created attachment 157620 [details]
Proposed patch

Note that upstream moved to github.  I've inspected the new tarball and found the changes legitimate.
Comment 7 m.tsatsenko 2015-06-10 20:02:30 UTC
Thanks for your work!
The patch seems ok for me
Comment 8 commit-hook freebsd_committer 2015-06-10 20:29:02 UTC
A commit references this bug:

Author: delphij
Date: Wed Jun 10 20:28:56 UTC 2015
New revision: 389143
URL: https://svnweb.freebsd.org/changeset/ports/389143

Log:
  Security update to 1.5.5, while there also move the
  upstream to github.

  PR:		200537
  Approved by:	maintainer
  MFH:		2015Q2 (test)

Changes:
  head/databases/pgbouncer/Makefile
  head/databases/pgbouncer/distinfo
  head/databases/pgbouncer/pkg-descr
Comment 9 Xin LI freebsd_committer 2015-06-10 20:30:03 UTC
Got maintainer approval and fix committed.
Comment 10 commit-hook freebsd_committer 2015-06-10 20:30:04 UTC
A commit references this bug:

Author: delphij
Date: Wed Jun 10 20:29:40 UTC 2015
New revision: 389144
URL: https://svnweb.freebsd.org/changeset/ports/389144

Log:
  MFH: r389143

  Security update to 1.5.5, while there also move the
  upstream to github.

  PR:		200537
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/databases/pgbouncer/Makefile
  branches/2015Q2/databases/pgbouncer/distinfo
  branches/2015Q2/databases/pgbouncer/pkg-descr
Comment 11 Xin LI freebsd_committer 2015-06-10 20:31:48 UTC
Hrm commit hook didn't like my change of state but do it again.