Additional Advisory to 2019-11-14 Cumulative Update Release for Debian and Ubuntu Users

Posted on 2019-12-04 by PostgreSQL Global Development Group

The PostgreSQL Global Development Group, in conjunction with the cumulative update release on November 14, 2019 for versions 12.1, 11.6, 10.11, 9.6.16, 9.5.20, and 9.4.25, advises all users on Debian and Ubuntu to update their "postgresql-common" packages as soon as possible.

The latest releases of PostgreSQL packages from apt.postgresql.org, debian.org, and ubuntu.com closed a vulnerability (CVE-2019-3466) in which the PostgreSQL superuser could escalate to root using a deficiency in the pg_ctlcluster command. pg_ctlcluster is a utility provided by the "postgresql-common" package that is installed with PostgreSQL on these platforms.

Updating

All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shutdown PostgreSQL and update its binaries.

Users who have skipped one or more update releases may need to run additional, post-update steps; please see the release notes for earlier versions for details.

NOTE: PostgreSQL 9.4 will stop receiving fixes on February 13, 2020. Please see our versioning policy for more information.

Links

PostgreSQL Project Security