The PostgreSQL Global Development Group, in conjunction with the cumulative update release on November 14, 2019 for versions 12.1, 11.6, 10.11, 9.6.16, 9.5.20, and 9.4.25, advises all users on Debian and Ubuntu to update their "postgresql-common" packages as soon as possible.
The latest releases of PostgreSQL packages from apt.postgresql.org,
debian.org, and ubuntu.com closed a vulnerability (CVE-2019-3466) in which the
PostgreSQL superuser could escalate to root using a deficiency in the
pg_ctlcluster command. pg_ctlcluster is a utility provided by the
"postgresql-common" package that is installed with PostgreSQL on these platforms.
All PostgreSQL update releases are cumulative. As with other minor releases,
users are not required to dump and reload their database or use pg_upgrade in
order to apply this update release; you may simply shutdown PostgreSQL and
update its binaries.
Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.
NOTE: PostgreSQL 9.4 will stop receiving fixes on February 13, 2020. Please see our versioning policy for more information.