A denial of service flaw was found in the way pgbouncer, a lightweight connection pooler for PostgreSQL, performed processing of client requests attempting to add new database(s) with large name(s). A remote attacker could use this flaw to cause pooler server shutdown.
Relevant upstream patch:
This issue affects the versions of the pgbouncer package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Created pgbouncer tracking bugs for this issue
Affects: fedora-all [bug 872529]
I fixed this in master and f18. Do you think that I should push it also to f17? The current patch set that I applied also moves conf file under /etc/pgbouncer/pgbouncer.ini, instead of /etc/pgbouncer.ini. This is an incompatible change for released version. I can rip it out, but...
BTW I am also maintaining the community RPMs, I used exactly the same patches that I used there. That is the reason of the change.
(In reply to comment #4)
> I fixed this in master and f18.
Thank you for that update, Devrim.
> Do you think that I should push it also to
Ad the DoS - yes, the patch should be applied to both pgbouncer versions (Fedora-16 and Fedora-17).
> The current patch set that I applied also moves conf file under
> /etc/pgbouncer/pgbouncer.ini, instead of /etc/pgbouncer.ini. This is an
> incompatible change for released version. I can rip it out, but...
Depends on you (to be honest I am not sure what are the rules wrt to rebasing packages in Fedora against more recent upstream versions).
But if this (move /etc/pgbouncer.ini to /etc/pgbouncer/pgbouncer.ini) upstream decision, which is supposed to be supported from now onwards, I would say OK to make that change (under assumption you would simultaneously rebase Fedora-16 and Fedora-17 pgbouncer versions to upstream 1.5.3 one too).
The users would need to get accustomed with that change anyway (now or later). And if this is new *.ini file location (IOW it won't be changed to the original in two weeks back), I would say it's OK.
If you would just selectively apply patches (IOW keep the Fedora-16 / Fedora-17 still based on upstream 1.4 version), I would say just fix the DoS and keep the
*.ini file in its older / previous location.
> BTW I am also maintaining the community RPMs, I used exactly the same
> patches that I used there. That is the reason of the change.
Ok, understood. See above (if this change is intended to be long term option), OK to apply that in Fedora too (maybe you could symlink /etc/pgbouncer/pgbouncer.ini to /etc/pgbouncer.ini if you think such a change might cause issues).
Thank you, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/11/02/8