Security fix

New auth_user functionality introduced in 1.6 allows login as auth_user when client presents unknown username. It’s quite likely auth_user is superuser. Affects only setups that have enabled auth_user in their config.

Per-pool pooling mode vs. reset query.

PgBouncer 1.6 introduced per-pool pooling mode, but session-pooled connections should not use same reset query as transaction-pooled connections. In fact, transaction-pooled conections should not use any reset query.

To fix this, there is new setting: server_reset_query_always. When set, it disables server_reset_query use on non-session pools.

It is set in 1.6.x for compatibility reasons, but will be unset in 1.7.

Main new features:

• Load user password hash from postgres database.
• Pooling mode can be configured both per-database and per-user.
• Per-database and per-user connection limits: max_db_connections and max_user_connections.
• Add DISABLE/ENABLE commands to prevent new connections.
• New preferred DNS backend: c-ares.
• Config files have %include FILENAME directive to allow configuration to be split into several files.

Put up new website.