[pgpool-general: 9484] Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 are now officially released.

Bo Peng pengbo at sraoss.co.jp
Thu May 15 10:45:14 JST 2025 

Pgpool Global Development Group is pleased to announce the
availability of Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22.

This release contains a security fix.

An authentication bypass vulnerability exists in the client authentication mechanism of Pgpool-II. 
In Pgpool-II, authentication may be bypassed even when it is supposed to be enforced. 
As a result, an attacker could log in as any user, potentially leading to information disclosure,
data tampering, or even a complete shutdown of the database. (CVE-2025-46801)

This vulnerability affects systems where the authentication configuration matches one of the following patterns:

* Pattern 1: This vulnerability occurs when all of the following conditions are met:
 - The password authentication method is used in pool_hba.conf
 - allow_clear_text_frontend_auth = off
 - The user's password is not set in pool_passwd
 - The scram-sha-256 or md5 authentication method is used in pg_hba.conf 

 * Pattern 2: This vulnerability occurs when all of the following conditions are met:
 - enable_pool_hba = off
 - One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap 

* Pattern 3: This vulnerability occurs when all of the following conditions are met:
 - Raw mode is used (backend_clustering_mode = 'raw')
 - The md5 authentication method is used in pool_hba.conf
 - allow_clear_text_frontend_auth = off
 - The user's password is registered in pool_passwd in plain text or AES format
 - One of the following authentication methods is used in pg_hba.conf: password, pam, or ldap 

All versions of Pgpool-II 4.0 and 4.1 series, 4.2.0 to 4.2.21, 4.3.0 to 4.3.14, 4.4.0 to 4.4.11, 4.5.0 to 4.5.6 and 4.6.0 are affected by this vulnerability.
It is strongly recommended to upgrade to Pgpool-II 4.6.1, 4.5.7, 4.4.12, 4.3.15 and 4.2.22 or later.
Alternatively, you can modify your settings so that they do not match any of the vulnerable configuration patterns.

For more details please see the release notes:

  http://www.pgpool.net/docs/latest/en/html/release.html

You can download the source code and RPMs from:

  http://pgpool.net/mediawiki/index.php/Downloads

---
Bo Peng <pengbo at sraoss.co.jp>
SRA OSS K.K.
TEL: 03-5979-2701 FAX: 03-5979-2702
URL: https://www.sraoss.co.jp/

More information about the pgpool-general mailing list