corrective updates for all supported PostgreSQL branches: , , , ΠΈ . Release updates for branch 9.4 until December 2019, 9.5 until January 2021, 9.6 until September 2021, 10 until October 2022, 11 until November 2023.
The new versions fix 25 bugs and fix a vulnerability (CVE-2019-10164) that could lead to a buffer overflow when a user changes their password. Using this vulnerability, a local attacker with access to PostgreSQL can, by setting a very long password, organize the execution of his code with the rights of the user under which the DBMS is running. In addition, the vulnerability can be exploited on the user's side when a libpq-based client passes SCRAM authentication when the user accesses a PostgreSQL server controlled by an attacker. The problem manifests itself in PostgreSQL 10, 11 and 12-beta branches.
Source: opennet.ru