The following flaw was found in PgBouncer: New auth_user functionality introduced in 1.6 allows login as auth_user when client presents unknown username. It’s quite likely auth_user is superuser. Affects only setups that have enabled auth_user in their config. Upstream issue: http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251 Upstream patch: https://github.com/pgbouncer/pgbouncer/commit/7ca3e5279d05fceb1e8a043c6f5b6f58dea3ed38 External References: https://pgbouncer.github.io/2015/09/pgbouncer-1-6-1/
The auth_user functionality was introduced in version 1.6. Fedora ships versions 1.5.x and is thus not affected.