PgBouncer 1.25.2 has been released, incorporating four critical security patches to address vulnerabilities related to malformed authentication packets and admin console permissions. The update enhances stability by fixing a null pointer crash caused by legacy error responses and improving documentation for pool sizing and TLS cipher settings. Database administrators are urged to upgrade immediately to prevent exploitation of SCRAM authentication vulnerabilities, which can be accessed remotely without valid credentials. Additionally, it is recommended to conduct a quick audit of the admin_users configuration to restrict session termination privileges to trusted operators, ensuring smooth operation of the connection pooler
PgBouncer 1.25.2 released
PgBouncer 1.25.2 drops four security patches that stop malformed authentication packets from crashing the connection pooler and locks down an admin command that previously let anyone kill active database sessions. The update also plugs a null pointer crash triggered by legacy error responses and cleans up confusing documentation for pool sizing and TLS cipher settings. Database teams should upgrade right away since those SCRAM vulnerabilities can be exploited remotely without any valid credentials. A quick audit of the admin_users configuration file will keep session termination locked down to trusted operators before rolling out the patch to production clusters.
