DoS-Vulnerability in pgbouncer

The attachment "lp1083414-quantal.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

ACK on the debdiff, looks good, thanks!

I will upload it for building now, and it should be released in the next few hours. Thanks!

This bug was fixed in the package pgbouncer - 1.5.2-2ubuntu0.1

---------------
pgbouncer (1.5.2-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: denial of service when too long db name is provided
    (LP: #1083414)
    - debian/patches/1-CVE-2012-4575.patch: objects.c(add_database): fail
      gracefully if too long db name. Based on upstream patch.
    - CVE-2012-4575
 -- Christian Kuersteiner <email address hidden> Mon, 03 Dec 2012 13:53:28 +0700

ACK on the oneiric and precise debdiffs. They look good. They will build now and will be pushed soon. Thanks!

This bug was fixed in the package pgbouncer - 1.4.2-2ubuntu0.1

---------------
pgbouncer (1.4.2-2ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: denial of service when too long db name is provided
    (LP: #1083414)
    - debian/patches/2-CVE-2012-4575.patch: objects.c(add_database): fail
      gracefully if too long db name. Based on upstream patch.
    - CVE-2012-4575
 -- Christian Kuersteiner <email address hidden> Tue, 04 Dec 2012 22:21:56 +0700

This bug was fixed in the package pgbouncer - 1.4.2-1ubuntu0.1

---------------
pgbouncer (1.4.2-1ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: denial of service when too long db name is provided
    (LP: #1083414)
    - debian/patches/3-CVE-2012-4575.patch: objects.c(add_database): fail
      gracefully if too long db name. Based on upstream patch.
    - CVE-2012-4575
 -- Christian Kuersteiner <email address hidden> Thu, 06 Dec 2012 12:46:08 +0700

And the last patch for lucid. Since this is my first security bug fix let me know if I missed something or can improve anything.

ACK on the lucid debdiff, with a minor edit to debian/changelog to list the correct name of the patch file. The package is building now and will be released today.

Your debdiffs look fine to me, thanks for all your hard work!

This bug was fixed in the package pgbouncer - 1.3.1-3ubuntu0.1

---------------
pgbouncer (1.3.1-3ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service when too long db name is provided
    (LP: #1083414)
    - debian/patches/04-CVE-2012-4575.dpatch: objects.c(add_database): fail
      gracefully if too long db name. Based on upstream patch.
    - CVE-2012-4575
 -- Christian Kuersteiner <email address hidden> Fri, 07 Dec 2012 13:06:35 +0700