Headline
CVE-2020-17446: Release asyncpg v0.21.0 · MagicStack/asyncpg
asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.
Improvements
Add support for password functions (useful for RDS IAM auth) (#554)
(by Harvey Frye in 1d9457f for #554)Add support for connection termination listeners (#525)
(by @iomintz in 8141b93 for #525)Update CI matrix, aarch64 builds (#595)
(by @Gelbpunkt in ac6a2fc for #595)
Fixes
Fix possible uninitalized pointer access on unexpected array
message data (CVE-2020-17446, by @elprans in 69bcdf5,
reported by @risicle)Fix Connection class _copy_in private method
(by @ABCDeath in 7f5c2a2 for #555)Bump pgproto to fix compilation issues
(by @elprans in aa67d61 for #565)Improve pool documentation examples (#491)
(by @nyurik in 745f8f8 for #491)Update usage.rst (#572)
(by @xuedong09 in f5b425a for #572)Fix links in connection documentation (#584)
(by @samuelcolvin in b081320 for #584)Fix usage documentation for hstore (#515)
(by @aaliddell in 39040b3 for #515)Fix compiler warnings
(by @elprans in 6cb5ba1)