The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.
[
{
"product": "PostgreSQL-related scripts that are specific to Debian and Ubuntu",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PostgreSQL-related scripts that are specific to Debian and Ubuntu"
}
]
}
]