Security fix

New auth_user functionality introduced in 1.6 allows login as auth_user when client presents unknown username. It’s quite likely auth_user is superuser. Affects only setups that have enabled auth_user in their config.

Per-pool pooling mode vs. reset query.

PgBouncer 1.6 introduced per-pool pooling mode, but session-pooled connections should not use same reset query as transaction-pooled connections. In fact, transaction-pooled conections should not use any reset query.

To fix this, there is new setting: server_reset_query_always. When set, it disables server_reset_query use on non-session pools.

It is set in 1.6.x for compatibility reasons, but will be unset in 1.7.