A security update has been released for pgAgent, which affects Debian GNU/Linux 11 (Bullseye) LTS. The issue arises when batch jobs are executed by pgAgent, as it uses an insufficiently seeded random number generator to generate directory names, allowing local attackers to disrupt scheduled tasks. This problem was fixed in version 4.0.0-8+deb11u1 of pgAgent, and users are advised to upgrade their packages. The update fixes a vulnerability known as CVE-2025-0218, which has been assigned Debian Bug number 1092677.

[DLA 4338-1] pgagent security update

[SECURITY] [DLA 4338-1] pgagent security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4338-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
October 18, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : pgagent
Version : 4.0.0-8+deb11u1
CVE ID : CVE-2025-0218
Debian Bug : 1092677

When batch jobs are executed by pgAgent, a script is created in a temporary
directory and then executed. In versions of pgAgent prior to 4.2.3, an
insufficiently seeded random number generator is used when generating the
directory name, leading to the possibility for a local attacker to pre-create
the directory and thus prevent pgAgent from executing jobs, disrupting
scheduled tasks.

For Debian 11 bullseye, this problem has been fixed in version
4.0.0-8+deb11u1.

We recommend that you upgrade your pgagent packages.

For the detailed security status of pgagent please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pgagent

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS