CVE-2020-17446

asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized pointer in the array data decoder.

References

Affected packages

Debian:11 / asyncpg

Package

Name: asyncpg
Purl: pkg:deb/debian/asyncpg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.21.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / asyncpg

Package

Name: asyncpg
Purl: pkg:deb/debian/asyncpg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.21.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / asyncpg

Package

Name: asyncpg
Purl: pkg:deb/debian/asyncpg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.21.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/magicstack/asyncpg

Affected ranges

Type: GIT
Repo: https://github.com/magicstack/asyncpg
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

87a4302f26e6194f8a8355fc582c98bfc0f1511a

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.20.0

v0.20.1

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.7.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.9.0