minor versions 8.1.4, 8.0.8, 7.4.13 and 7.3.15 have been updated to address a SQL injection vulnerability, for applications that embed untrusted input directly into SQL statements (i.e., avoiding the PreparedStatement facility for escaping input).
In case you're unaware, SQL injection
uses specifically formed inputs to violate programmer intent. The classic example is something like this:
String sql="select * from users where username='"+username+
"' and password='"+password+"'";
If password is set to a value such as "a' or username like '%' or password like '%", the SQL evaluated will be something like this:
select * from users where username='a' and password='a'
or username like '%' or password like '%'
Obviously, this can have some security implications. In Java, PreparedStatement is used to easily avoid this kind of security attack, with some performance benefits as well for many databases.
If your application using PostgreSQL isn't using PreparedStatement - and can't - it might be a good time to update PostgreSQL.
There's a release note
about the security issue, which includes tips about how to avoid it (mostly applicable if you're using PHP).