PgBouncer 1.24.1 has been officially released, addressing a significant security vulnerability identified as CVE-2025-2291. This vulnerability allows attackers to bypass the password expiration policy implemented in PostgreSQL, specifically affecting configurations that utilize the VALID UNTIL clause for password management. The issue is relevant to all PgBouncer versions, prompting users to take action.
To safeguard their systems, users are strongly encouraged to either upgrade to the new version or adjust their configuration files to incorporate the updated default `auth_query`. For those who have customized their `auth_query`, it's crucial to modify it to align with the new default settings introduced in this release.
Additionally, this update rectifies an issue with PAM (Pluggable Authentication Module) authentication that was inadvertently disrupted in the previous version, 1.24.0. This fix restores proper functionality for PAM in the Host-Based Authentication (HBA) file.
For complete details on the changes and improvements made in this release, users can refer to the full changelog.
In summary, PgBouncer 1.24.1 is a critical update for users relying on PostgreSQL’s security features, emphasizing the importance of timely updates and configuration adjustments to maintain robust security practices. Users are reminded to regularly review and update their software to protect against vulnerabilities and ensure optimal performance
To safeguard their systems, users are strongly encouraged to either upgrade to the new version or adjust their configuration files to incorporate the updated default `auth_query`. For those who have customized their `auth_query`, it's crucial to modify it to align with the new default settings introduced in this release.
Additionally, this update rectifies an issue with PAM (Pluggable Authentication Module) authentication that was inadvertently disrupted in the previous version, 1.24.0. This fix restores proper functionality for PAM in the Host-Based Authentication (HBA) file.
For complete details on the changes and improvements made in this release, users can refer to the full changelog.
In summary, PgBouncer 1.24.1 is a critical update for users relying on PostgreSQL’s security features, emphasizing the importance of timely updates and configuration adjustments to maintain robust security practices. Users are reminded to regularly review and update their software to protect against vulnerabilities and ensure optimal performance
PgBouncer 1.24.1 released
PgBouncer 1.24.1 has been released and addresses CVE-2025-2291, which enables attackers to circumvent Postgres' password expiration policy. This matter impacts every version of PgBouncer. Users are advised to update their configuration files to align with the new default auth_query.
