Postgres Pro
Downloads
Home   >   mailing lists

PgBouncer 1.24.1 released - Fixes CVE-2025-2291 - Mailing list pgsql-announce

From PgBouncer via PostgreSQL Announce
Subject PgBouncer 1.24.1 released - Fixes CVE-2025-2291
Date
Msg-id 174524328396.676.264806485191433910@wrigleys.postgresql.org
Whole thread Raw
List pgsql-announce
Tree view
 

PgBouncer 1.24.1 released - Fixes CVE-2025-2291

PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which could allow an attacker to bypass Postgres its password expiry. Such a password expiry would have been set up in Postgres using the VALID UNTIL clause. This is a security issue that affects all versions of PgBouncer. If you use both VALID UNTIL and auth_user then you should upgrade, or change the auth_query in your config file to the new auth_query that is used by default in this release. If you are using a custom auth_query then you should update it be similar to the new default auth_query in this release.

This release also fixes PAM authentication by reverting support for pam in the HBA file. PAM authentication was accidentally broken in 1.24.0.

See https://www.pgbouncer.org/2025/04/pgbouncer-1-24-1 for more information, the detailed changelog, and download links.

PgBouncer is a lightweight connection pooler for PostgreSQL.

This email was sent to you from PgBouncer. It was delivered on their behalf by the PostgreSQL project. Any questions about the content of the message should be sent to PgBouncer.

You were sent this email as a subscriber of the pgsql-announce mailinglist, for for one of the content tags Related Open Source or Security. To unsubscribe from further emails, or change which emails you want to receive, please click the personal unsubscribe link that you can find in the headers of this email, or visit https://lists.postgresql.org/unsubscribe/.
 

pgsql-announce by date:

Previous
From: Microsoft Azure via PostgreSQL Announce
Date:
Subject: The Schedule is out for POSETTE: An Event for Postgres 2025!
Next
From: Pigsty via PostgreSQL Announce
Date:
Subject: Pigsty v3.4 Released, PG RDS with MySQL Compatibility