Sven Klemm found that some extensions in the PostgreSQL database system could replace objects not belonging to the extension. An attacker could leverage this to run arbitrary commands as another user.
Alexander Lakhin discovered that the autovacuum feature and multiple commands could escape the “security-restricted operation” sandbox.
For Debian 9 stretch, these problems have been fixed in version 9.6.24-0+deb9u2.
We recommend that you upgrade your postgresql-9.6 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.