| Release | Version |
|---|---|
| bullseye | 1.15.0-1 |
| bullseye (security) | 1.15.0-1+deb11u2 |
| bookworm | 1.18.0-1+deb12u1 |
| trixie | 1.24.1-1+deb13u1 |
| forky | 1.25.1-1 |
| sid | 1.25.2-1 |
| Bug | bullseye | bookworm | trixie | forky | sid | Description |
|---|---|---|---|---|---|---|
| CVE-2026-6667 | vulnerable | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable | fixed | PgBouncer before 1.25.2 did not perform an appropriate authorization c ... |
| CVE-2026-6666 | vulnerable | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable | fixed | A possible null pointer reference in PgBouncer before 1.25.2 could lea ... |
| CVE-2026-6665 | vulnerable | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable | fixed | The SCRAM code in PgBouncer before 1.25.2 did not check the return val ... |
| CVE-2026-6664 | vulnerable | vulnerable (no DSA) | vulnerable (no DSA) | vulnerable | fixed | An integer overflow in network packet parsing code in PgBouncer before ... |
| Bug | Description |
|---|---|
| CVE-2025-12819 | Untrusted search path in auth_query connection handler in PgBouncer be ... |
| CVE-2025-2291 | Password can be used past expiry in PgBouncer due to auth_query not ta ... |
| CVE-2021-3935 | When PgBouncer is configured to use "cert" authentication, a man-in-th ... |
| CVE-2015-6817 | PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows r ... |
| CVE-2015-4054 | PgBouncer before 1.5.5 allows remote attackers to cause a denial of se ... |
| CVE-2012-4575 | The add_database function in objects.c in the pgbouncer pooler 1.5.2 f ... |
| DSA / DLA | Description |
|---|---|
| DLA-4422-1 | pgbouncer - security update |
| DLA-4180-1 | pgbouncer - security update |
| DLA-2922-1 | pgbouncer - security update |