The vulnerability, identified as CVE-2025-46801, impacts various versions of Pgpool-II, including all from the 4.0 and 4.1 series, as well as multiple versions from 4.2.0 to 4.6.0. Users are strongly advised to upgrade to one of the new versions or to adjust their configurations to avoid matching the vulnerability's criteria.
Pgpool-II enhances PostgreSQL with features such as connection pooling, load balancing, and automatic failover, making it a valuable tool for database management. Users are encouraged to consult the release notes for detailed information and to download the latest versions, which include crucial security patches.
In summary, it is essential for users of Pgpool-II to stay up-to-date with the latest releases to ensure the security and integrity of their PostgreSQL databases. Regular updates not only provide new features but also safeguard against vulnerabilities that can compromise database systems
Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released
Pgpool-II, a tool for PostgreSQL, has been released with the following minor versions: 4.6.1, 4.5.7, 4.4.12, 4.3.15, and 4.2.22. These versions contain a security fix for an authentication bypass vulnerability in the client authentication mechanism. This vulnerability enables an attacker to gain unauthorized access as any user, which may result in information disclosure, data manipulation, or disruption of database services. The vulnerability impacts systems that have an authentication configuration aligning with one of three specific patterns: password, pam, or ldap. All versions of Pgpool-II from the 4.0 and 4.1 series, as well as versions 4.2.0 through 4.2.21, 4.3.0 through 4.3.14, 4.4.0 through 4.4.11, 4.5.0 through 4.5.6, and 4.6.0 are impacted.
Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 released @ Linux Compatible
