9.5.3 in the latest release of CI is vulnerable to CVE-2018-1052, CVE-2018-1053 and CVE-2018-1058.
9.5.11 contains fixes for CVE-2018-1052, CVE-2018-1053:
https://www.postgresql.org/about/news/1834/
https://www.postgresql.org/about/news/1829/
9.5.12 contains fixes for CVE-2018-1058, CI may not be vulnerable as the attack vector requires specific configuration. However probably makes sense to move to 9.5.12.
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
Thanks for bringing this to our attention. The version we currently ship is 9.5.8 - we’ll get that updated asap. In the future, please send this sort of issue to our support email rather than posting on the forums - https://en.wikipedia.org/wiki/Responsible_disclosure
Thanks. I posted here because these issues are already public. Responsible disclosure isn’t relevant in this situation, I’m not disclosing anything that wasn’t already public for weeks.
You might want to have someone monitoring weekly vulnerability bulletins (https://www.us-cert.gov/ncas/bulletins is where we get them, probably others) it shouldn’t take long to scan them for anything that might affect CI.
Next time I’ll send to support email.
Yes they were already known to the postgres community, but probably not general knowledge here.
I would love to have someone monitoring vulnerabilities but were extremely resource strapped at the moment and there isn’t anyone here (myself included) I can pile more work onto.
Understood. Can you provide a list any other third party tools/components used to build or incorporated into CI? I review these bulletins weekly, and I’d be happy to pass along information via email. Just need to know what you’d be interested in.
Anything that affect CI ends up being my concern anyway, I’d not bug you with IIS issues of course… you can’t do anything about that 
We ship postgresql, mercurial. As for third party code libraries, there are many, and we do keep on top of those (open source and commercial), as it’s relatively easy with nuget. FWIW we are working on upgrading the version of mercurial we ship, however the most recent builds broke some of the extensions we use/require, and it also has a major performance regression (I sumitted a fix for that to mercurial for the next mercurial release).
In he future I’ll pass on anything for postgresql, svn and git clients as well. I’m on top of svn and git already.
Thanks for the great product, and quick response… your support is top notch!
Hi Brenden,
Version 1.8.1.801 upgrades the bundled version of PostgreSQL to version 9.6.8.
Note that we do not bundle svn and git clients with Continua CI - these need to be upgraded independently.
Thanks, scheduled the update this weekend…
I forgot that git/svn clients are handled separately… I’ll pass along postgresql CVE’s… that makes it simple.