Debian GNU/Linux 11 (Bullseye) has recently received two critical security updates aimed at enhancing system security. These updates include a patch for PgBouncer, a lightweight connection pooler for PostgreSQL, and an update for glibc, the GNU C Library that serves as the standard library for C programming.
PgBouncer Security Update (DLA 4180-1)
- Version Updated: 1.15.0-1+deb11u1
- CVE IDs: CVE-2021-3935 and CVE-2025-2291
The updates address significant vulnerabilities. The first, CVE-2021-3935, allows a man-in-the-middle attacker to inject arbitrary SQL queries during the initial connection setup when "cert" authentication is used, despite TLS encryption. The second vulnerability, CVE-2025-2291, enables an attacker to log in using expired passwords because the auth_query mechanism does not adequately check the PostgreSQL VALID UNTIL value.
Users are advised to upgrade their PgBouncer packages to the latest version to mitigate these risks. More details can be found on the [PgBouncer security tracker page](https://security-tracker.debian.org/tracker/pgbouncer).
glibc Security Update (DLA 4181-1)
- Version Updated: 2.31-13+deb11u13
- CVE ID: CVE-2025-4802
A vulnerability in the dynamic linking support of glibc has been identified, which could allow privilege escalation in statically compiled setuid binaries that utilize the dlopen() function. This issue arises from the untrusted LD_LIBRARY_PATH environment variable, particularly after user calls to setlocale() or NSS functions like getaddrinfo().
Users are encouraged to upgrade their glibc packages to the updated version to safeguard against this vulnerability. Additional information can be accessed on the [glibc security tracker page](https://security-tracker.debian.org/tracker/glibc).
For both updates, users can find instructions on applying these security patches and answers to frequently asked questions on the Debian Wiki's LTS section [here](https://wiki.debian.org/LTS). It is essential for users to regularly check for updates and apply them promptly to maintain system security
PgBouncer Security Update (DLA 4180-1)
- Version Updated: 1.15.0-1+deb11u1
- CVE IDs: CVE-2021-3935 and CVE-2025-2291
The updates address significant vulnerabilities. The first, CVE-2021-3935, allows a man-in-the-middle attacker to inject arbitrary SQL queries during the initial connection setup when "cert" authentication is used, despite TLS encryption. The second vulnerability, CVE-2025-2291, enables an attacker to log in using expired passwords because the auth_query mechanism does not adequately check the PostgreSQL VALID UNTIL value.
Users are advised to upgrade their PgBouncer packages to the latest version to mitigate these risks. More details can be found on the [PgBouncer security tracker page](https://security-tracker.debian.org/tracker/pgbouncer).
glibc Security Update (DLA 4181-1)
- Version Updated: 2.31-13+deb11u13
- CVE ID: CVE-2025-4802
A vulnerability in the dynamic linking support of glibc has been identified, which could allow privilege escalation in statically compiled setuid binaries that utilize the dlopen() function. This issue arises from the untrusted LD_LIBRARY_PATH environment variable, particularly after user calls to setlocale() or NSS functions like getaddrinfo().
Users are encouraged to upgrade their glibc packages to the updated version to safeguard against this vulnerability. Additional information can be accessed on the [glibc security tracker page](https://security-tracker.debian.org/tracker/glibc).
For both updates, users can find instructions on applying these security patches and answers to frequently asked questions on the Debian Wiki's LTS section [here](https://wiki.debian.org/LTS). It is essential for users to regularly check for updates and apply them promptly to maintain system security
PgBouncer and glibc updates for Debian
Debian GNU/Linux 11 (Bullseye) LTS has received two security updates: [DLA 4180-1] pgbouncer and [DLA 4181-1] glibc.
[DLA 4180-1] pgbouncer security update
[DLA 4181-1] glibc security update
