The new versions fix 25 bugs and fix a vulnerability (CVE-2019-10164) that could lead to a buffer overflow when a user changes their password. Using this vulnerability, a local attacker with access to PostgreSQL can, by setting a very long password, organize the execution of his code with the rights of the user under which the DBMS is running. In addition, the vulnerability can be exploited on the user's side when a libpq-based client passes SCRAM authentication when the user accesses a PostgreSQL server controlled by an attacker. The problem manifests itself in PostgreSQL 10, 11 and 12-beta branches.
Source: opennet.ru