Errata overview
Errata ID 392
Date 2018-05-08
Source package postgresql-9.4
Fixed in version 9.4.15-0+deb8u1
This update addresses the following issues:
* PostgreSQL runs under a non-root operating system account, and database
  superusers have effective ability to run arbitrary code under that system
  account. PostgreSQL provides a script for starting the database server
  during system boot. Packages of PostgreSQL for many operating systems
  provide their own, packager-authored startup implementations. Several
  implementations use a log file name that the database superuser can replace
  with a symbolic link. As root, they open(), chmod() and/or chown() this log
  file name. This often suffices for the database superuser to escalate to
  root privileges when root starts the server. (CVE-2017-12172)
* Invalid json_populate_recordset or jsonb_populate_recordset function calls
  can crash the server or disclose a few bytes of server memory.
Additional notes
CVE ID CVE-2017-12172
UCS Bug number #45752