Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-17446: Release asyncpg v0.21.0 · MagicStack/asyncpg

asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.

CVE
#sql#auth#dell#postgres

Improvements

  • Add support for password functions (useful for RDS IAM auth) (#554)
    (by Harvey Frye in 1d9457f for #554)

  • Add support for connection termination listeners (#525)
    (by @iomintz in 8141b93 for #525)

  • Update CI matrix, aarch64 builds (#595)
    (by @Gelbpunkt in ac6a2fc for #595)

Fixes

  • Fix possible uninitalized pointer access on unexpected array
    message data (CVE-2020-17446, by @elprans in 69bcdf5,
    reported by @risicle)

  • Fix Connection class _copy_in private method
    (by @ABCDeath in 7f5c2a2 for #555)

  • Bump pgproto to fix compilation issues
    (by @elprans in aa67d61 for #565)

  • Improve pool documentation examples (#491)
    (by @nyurik in 745f8f8 for #491)

  • Update usage.rst (#572)
    (by @xuedong09 in f5b425a for #572)

  • Fix links in connection documentation (#584)
    (by @samuelcolvin in b081320 for #584)

  • Fix usage documentation for hstore (#515)
    (by @aaliddell in 39040b3 for #515)

  • Fix compiler warnings
    (by @elprans in 6cb5ba1)

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907