The PostgreSQL Global Development Group, in conjunction with the
cumulative update release on November 14, 2019 for versions 12.1, 11.6,
10.11, 9.6.16, 9.5.20, and 9.4.25, advises all users on Debian and
Ubuntu to update their "postgresql-common" packages as soon as possible.
The latest releases of PostgreSQL packages from apt.postgresql.org,
debian.org, and ubuntu.com closed a vulnerability (CVE-2019-3466) in
which the PostgreSQL superuser could escalate to root using a deficiency
in the `pg_ctlcluster` command. `pg_ctlcluster` is a utility provided by
the "postgresql-common" package that is installed with PostgreSQL on
theses platforms.
Updating
--------
All PostgreSQL update releases are cumulative. As with other minor
releases, users are not required to dump and reload their database or
use `pg_upgrade` in order to apply this update release; you may simply
shutdown PostgreSQL and update its binaries.
Users who have skipped one or more update releases may need to run
additional, post-update steps; please see the release notes for earlier
versions for details.
**NOTE**: PostgreSQL 9.4 will stop receiving fixes on February 13, 2020.
Please see our versioning policy for more information:
https://www.postgresql.org/support/versioning/
Links
-----
* Download: https://www.postgresql.org/download/
* 2019-11-14 Release Announcement:
https://www.postgresql.org/about/news/1994/
* Release Notes: https://www.postgresql.org/docs/current/release.html
* Security Page: https://www.postgresql.org/support/security/
* Versioning Policy: https://www.postgresql.org/support/versioning/
* Follow @postgresql on Twitter: https://twitter.com/postgresql
