Lightweight connection pooler for PostgreSQL https://www.pgbouncer.org/ <p>PgBouncer 1.25.1 has been released. This release fixes CVE-2025-12819: Before this release it was possible for an unauthenticated attacker to execute arbitrary SQL during authentication by providing a malicious search_path parameter in the StartupMessage. Systems that have ALL the following configurations are vulnerable:</p> <ol> <li><code class="language-plaintext highlighter-rouge">track_extra_parameters</code> includes search_path (non-default configuration, probably only configured in setups involving Citus or PostgreSQL 18)</li> <li><code class="language-plaintext highlighter-rouge">auth_user</code> is set to a non-empty string (non-default configuration)</li> <li><code class="language-plaintext highlighter-rouge">auth_query</code> is configured without fully-qualified object names (default configuration, the &lt; operator is not schema q</li> </ol> <p>This release also fixes a bunch of bugs/issues introduced in the recent 1.25.0 release.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-125x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz">pgbouncer-1.25.1.tar.gz</a> (<a href="/downloads/files/1.25.1/pgbouncer-1.25.1.tar.gz.sha256">sha256</a>)</p> Wed, 03 Dec 2025 00:00:00 +0000 https://www.pgbouncer.org//2025/12/pgbouncer-1.25-1 https://www.pgbouncer.org//2025/12/pgbouncer-1.25-1 <p>PgBouncer 1.25.0 has been released. This release contains a number of new features along with a variety of improvements and bug fixes. Highlights are:</p> <ul> <li>Support for LDAP authentication.</li> <li>Support for client-side “direct” TLS connections.</li> <li>Reporting connected but idle client connections as <code class="language-plaintext highlighter-rouge">idle</code> instead of <code class="language-plaintext highlighter-rouge">active</code>.</li> <li>Greatly improving performance of SCRAM authentication.</li> </ul> <p>See the full details in the <a href="/changelog.html#pgbouncer-125x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.25.0/pgbouncer-1.25.0.tar.gz">pgbouncer-1.25.0.tar.gz</a> (<a href="/downloads/files/1.25.0/pgbouncer-1.25.0.tar.gz.sha256">sha256</a>)</p> Sun, 09 Nov 2025 00:00:00 +0000 https://www.pgbouncer.org//2025/11/pgbouncer-1.25-0 https://www.pgbouncer.org//2025/11/pgbouncer-1.25-0 <p>PgBouncer 1.24.1 has been released. This release fixes CVE-2025-2291, which could allow an attacker to bypass Postgres its password expiry. Such a password expiry would have been set up in Postgres using the <code class="language-plaintext highlighter-rouge">VALID UNTIL</code> clause. This is a security issue that affects all versions of PgBouncer. If you use both <code class="language-plaintext highlighter-rouge">VALID UNTIL</code> and <code class="language-plaintext highlighter-rouge">auth_user</code> then you should upgrade, or change the <code class="language-plaintext highlighter-rouge">auth_query</code> in your config file to the new <code class="language-plaintext highlighter-rouge">auth_query</code> that is used by default in this release. If you are using a custom <code class="language-plaintext highlighter-rouge">auth_query</code> then you should update it be similar to the new default <code class="language-plaintext highlighter-rouge">auth_query</code> in this release.</p> <p>This release also fixes PAM authentication by reverting support for <code class="language-plaintext highlighter-rouge">pam</code> in the HBA file. PAM authentication was accidentally broken in 1.24.0.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-124x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.24.1/pgbouncer-1.24.1.tar.gz">pgbouncer-1.24.1.tar.gz</a> (<a href="/downloads/files/1.24.1/pgbouncer-1.24.1.tar.gz.sha256">sha256</a>)</p> Wed, 16 Apr 2025 00:00:00 +0000 https://www.pgbouncer.org//2025/04/pgbouncer-1-24-1 https://www.pgbouncer.org//2025/04/pgbouncer-1-24-1 <p>PgBouncer 1.24.0 has been released. This release contains a number of new features along with a variety of improvements and bug fixes. Highlights are:</p> <ul> <li>Tracking and limiting connection counts per user and database.</li> <li>Greatly reducing performance overhead of RELOAD on setups with TLS enabled.</li> <li>Prepared statement support being turned on by default.</li> </ul> <p>See the full details in the <a href="/changelog.html#pgbouncer-124x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.24.0/pgbouncer-1.24.0.tar.gz">pgbouncer-1.24.0.tar.gz</a> (<a href="/downloads/files/1.24.0/pgbouncer-1.24.0.tar.gz.sha256">sha256</a>)</p> Fri, 10 Jan 2025 00:00:00 +0000 https://www.pgbouncer.org//2025/01/pgbouncer-1.24.0 https://www.pgbouncer.org//2025/01/pgbouncer-1.24.0 <p>PgBouncer 1.23.1 has been released. This release fixes two crashes that could occur since 1.23.0. If you are on 1.23.0, upgrading to 1.23.1 is strongly recommended.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-123x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.23.1/pgbouncer-1.23.1.tar.gz">pgbouncer-1.23.1.tar.gz</a> (<a href="/downloads/files/1.23.1/pgbouncer-1.23.1.tar.gz.sha256">sha256</a>)</p> Fri, 02 Aug 2024 00:00:00 +0000 https://www.pgbouncer.org//2024/08/pgbouncer-1-23-1 https://www.pgbouncer.org//2024/08/pgbouncer-1-23-1 <p>PgBouncer 1.23.0 has been released. This release contains a number of new features along with a variety of improvements and bug fixes. Highlights are: User name maps can now be used in authentication configuration. In multi-process PgBouncer setups, it is now possible to do rolling restarts. Replication connections can go through PgBouncer.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-123x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.23.0/pgbouncer-1.23.0.tar.gz">pgbouncer-1.23.0.tar.gz</a> (<a href="/downloads/files/1.23.0/pgbouncer-1.23.0.tar.gz.sha256">sha256</a>)</p> Wed, 03 Jul 2024 00:00:00 +0000 https://www.pgbouncer.org//2024/07/pgbouncer-1-23-0 https://www.pgbouncer.org//2024/07/pgbouncer-1-23-0 <p>PgBouncer 1.22.1 has been released. This release fixes issues caused by some clients using <code class="language-plaintext highlighter-rouge">COPY FROM STDIN</code> queries. Such queries could introduce memory leaks, performance regressions and prepared statement misbehavior.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-122x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.22.1/pgbouncer-1.22.1.tar.gz">pgbouncer-1.22.1.tar.gz</a> (<a href="/downloads/files/1.22.1/pgbouncer-1.22.1.tar.gz.sha256">sha256</a>)</p> Mon, 04 Mar 2024 00:00:00 +0000 https://www.pgbouncer.org//2024/03/pgbouncer-1-22-1 https://www.pgbouncer.org//2024/03/pgbouncer-1-22-1 <p>PgBouncer 1.22.0 has been released. The main feature this release adds is support for the <code class="language-plaintext highlighter-rouge">DISCARD ALL</code> and <code class="language-plaintext highlighter-rouge">DEALLOCATE ALL</code> commands when enabling prepared statement support in transaction pooling mode (by setting <code class="language-plaintext highlighter-rouge">max_prepared_statements</code> to a non-zero value). This is an important improvement in the prepared statement support that clears the road for us to be able to enable prepared statement support by default in a future release.</p> <p>Other than that this release contains some small improvements and bugfixes, including improvements to our recommended SystemD configuration files.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-122x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.22.0/pgbouncer-1.22.0.tar.gz">pgbouncer-1.22.0.tar.gz</a> (<a href="/downloads/files/1.22.0/pgbouncer-1.22.0.tar.gz.sha256">sha256</a>)</p> Wed, 31 Jan 2024 00:00:00 +0000 https://www.pgbouncer.org//2024/01/pgbouncer-1-22-0 https://www.pgbouncer.org//2024/01/pgbouncer-1-22-0 <p>PgBouncer 1.21.0 has been released. This release adds one of PgBouncer its most requested features: Support for named prepared statements! See <a href="https://pgbouncer.org/config.html#max_prepared_statements">the docs on <code class="language-plaintext highlighter-rouge">max_prepared_statements</code></a> for details on how the feature works, its limitations, and how to tune the value of the <code class="language-plaintext highlighter-rouge">max_prepared_statements</code> setting.</p> <p>Apart from prepared statement support this release also includes various other improvements, such as much more secure default TLS settings and changes required for FIPS compliance. And it also fixes various bugs and crashes.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-121x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.21.0/pgbouncer-1.21.0.tar.gz">pgbouncer-1.21.0.tar.gz</a> (<a href="/downloads/files/1.21.0/pgbouncer-1.21.0.tar.gz.sha256">sha256</a>)</p> Mon, 16 Oct 2023 00:00:00 +0000 https://www.pgbouncer.org//2023/10/pgbouncer-1-21-0 https://www.pgbouncer.org//2023/10/pgbouncer-1-21-0 <p>PgBouncer 1.20.1 has been released. This minor release reverts back an unintended change in behaviour when <code class="language-plaintext highlighter-rouge">options</code> was specified in <code class="language-plaintext highlighter-rouge">ignore_startup_parameters</code>. This behavioural change was introduced in 1.20.0. It also makes some minor changes to documentation.</p> <p>See the full details in the <a href="/changelog.html#pgbouncer-120x">changelog</a>.</p> <p>Download here: <a href="/downloads/files/1.20.1/pgbouncer-1.20.1.tar.gz">pgbouncer-1.20.1.tar.gz</a> (<a href="/downloads/files/1.20.1/pgbouncer-1.20.1.tar.gz.sha256">sha256</a>)</p> Wed, 09 Aug 2023 00:00:00 +0000 https://www.pgbouncer.org//2023/08/pgbouncer-1-20-1 https://www.pgbouncer.org//2023/08/pgbouncer-1-20-1