CVE-2018-10915: Certain host connection parameters defeat
client-side security defenses
libpq, the client connection API for PostgreSQL that is also used
by other connection libraries, had an internal issue where it did not
reset all of its connection state variables when attempting to
reconnect. In particular, the state variable that determined whether
or not a password is needed for a connection would not be reset, which
could allow users of features requiring libpq, such as the "dblink" or
"postgres_fdw" extensions, to login to servers they should not be able
to access.
CVE-2018-10925: Memory disclosure and missing authorization in
`INSERT ... ON CONFLICT DO UPDATE`
An attacker able to issue CREATE TABLE can read arbitrary bytes of
server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`)
query. By default, any user can exploit that. A user that has
specific INSERT privileges and an UPDATE privilege on at least one
column in a given table can also update other columns using a view and
an upsert query.