Notable from the release announcement for those not reading the article:
libpq, the client connection API for PostgreSQL that is also used by other
connection libraries, had an internal issue where it did not reset all of its
connection state variables when attempting to reconnect. In particular, the
state variable that determined whether or not a password is needed for a
connection would not be reset, which could allow users of features requiring
libpq, such as the “dblink” or “postgres_fdw” extensions, to login to servers
they should not be able to access.
You can check if your database has either extension installed by running the
following from your PostgreSQL shell:
Users are advised to upgrade their libpq installations as soon as possible.
The PostgreSQL Global Development Group thanks Andrew Krasichkov for reporting
INSERT ... ON CONFLICT DO UPDATE
An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory
using an upsert (INSERT ... ON CONFLICT DO UPDATE) query. By default, any
user can exploit that. A user that has specific INSERT privileges and an UPDATE
privilege on at least one column in a given table can also update other columns
using a view and an upsert query.