Comment 3 for bug 1163184

Vulnerability overview:

     - Fix insecure parsing of server command-line switches.
       A connection request containing a database name that begins with
       "-" could be crafted to damage or destroy files within the server's
       data directory, even if the request is eventually rejected.
       [CVE-2013-1899]

       Critical, affects 9.1 only.

     - Reset OpenSSL randomness state in each postmaster child process.
       This avoids a scenario wherein random numbers generated by
       "contrib/pgcrypto" functions might be relatively easy for another
       database user to guess. The risk is only significant when the
       postmaster is configured with ssl = on but most connections don't
       use SSL encryption. [CVE-2013-1900]

       Moderate, affects all versions

     - Make REPLICATION privilege checks test current user not
       authenticated user.
       An unprivileged database user could exploit this mistake to call
       pg_start_backup() or pg_stop_backup(), thus possibly interfering
       with creation of routine backups. [CVE-2013-1901]

       Moderate, affects 9.1 only