The PostgreSQL developers report:
PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions
were executed as the superuser and not the table owner during VACUUM
and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION
were permitted within index functions. Both of these holes have now
been closed.
PostgreSQL allowed malicious users to initiate a denial-of-service
by passing certain regular expressions in SQL queries. First, users
could create infinite loops using some specific regular expressions.
Second, certain complex regular expressions could consume excessive
amounts of memory. Third, out-of-range backref numbers could be used
to crash the backend.
DBLink functions combined with local trust or ident authentication
could be used by a malicious user to gain superuser privileges. This
issue has been fixed, and does not affect users who have not
installed DBLink (an optional module), or who are using password
authentication for local access. This same problem was addressed in
the previous release cycle, but that patch failed to close all forms
of the loophole.