The current version in sarge (w/ security updates) is 4.5.3-4 and from looking at upstream's CVS tree, it appears to me as if the bug leading to the security vulnerability was introduced _after_ 4.5.3. Can you confirm that this bug exists in 4.5.3-4? Moreover, merging the PostgreSQL-related issues with this security bug does _not_ seem to be a good idea to me. Cheers, -Hilko, reading up on BTS documentation