diff -Nru postgresql-common-173ubuntu0.2/debian/changelog postgresql-common-173ubuntu0.3/debian/changelog
--- postgresql-common-173ubuntu0.2/debian/changelog	2018-07-11 15:13:21.000000000 +0000
+++ postgresql-common-173ubuntu0.3/debian/changelog	2019-11-13 15:31:07.000000000 +0000
@@ -1,3 +1,16 @@
+postgresql-common (173ubuntu0.3) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Privilege Escalation via Arbitrary Directory Creation
+    - pg_ctlcluster: Drop privileges before creating socket and stats temp
+      directories outside /var/run/postgresql. The default configuration is
+      not affected by this change. Users with directories on volatile
+      storage (tmpfs) in other locations have to make sure the parent
+      directory is writable for the cluster owner.
+    - Thanks to Rich Mirch and Christoph Berg.
+    - CVE-2019-3466
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 13 Nov 2019 10:31:07 -0500
+
 postgresql-common (173ubuntu0.2) xenial; urgency=medium
 
   * Convert triggers to noawait (LP: #1780996)
diff -Nru postgresql-common-173ubuntu0.2/pg_ctlcluster postgresql-common-173ubuntu0.3/pg_ctlcluster
--- postgresql-common-173ubuntu0.2/pg_ctlcluster	2017-11-08 13:16:49.000000000 +0000
+++ postgresql-common-173ubuntu0.3/pg_ctlcluster	2019-11-13 15:29:47.000000000 +0000
@@ -455,16 +455,29 @@
     }
 }
 
-# recreate /var/run/postgresql
-if ($action ne 'stop' && ! -d $info{'socketdir'}) {
-    system 'install', '-d', '-m', 2775,
-	'-o', $info{'owneruid'}, '-g', $info{'ownergid'}, $info{'socketdir'};
-}
+if ($action ne 'stop') {
+    # recreate /var/run/postgresql while possibly still running as root
+    if (! -d '/var/run/postgresql') {
+        system 'install', '-d', '-m', 2775, '-o', 'postgres', '-g', 'postgres', '/var/run/postgresql';
+    }
 
-# recreate stats_temp_directory
-if ($action ne 'stop' && $info{'statstempdir'} && ! -d $info{'statstempdir'}) {
-    system 'install', '-d', '-m', 750,
-	'-o', $info{'owneruid'}, '-g', $info{'ownergid'}, $info{'statstempdir'};
+    # allow creating socket directories below /var/run/postgresql for any user
+    if ($info{socketdir} =~ m!^(/var)/run/postgresql/[\w_.-]+$! and ! -d $info{socketdir}) {
+        if (mkdir $info{socketdir}, 02775) { # don't use "install" here as it would allow stealing existing directories
+            chown $info{owneruid}, $info{ownergid}, $info{socketdir};
+        } else {
+            error "Could not create $info{socketdir}: $!";
+        }
+    }
+
+    # allow creating stats_temp_directory below /var/run/postgresql for any user
+    if ($info{'statstempdir'} and $info{'statstempdir'}=~ m!^(/var)/run/postgresql/[\w_.-]+$! and ! -d $info{'statstempdir'}) {
+        if (mkdir $info{'statstempdir'}, 0750) { # don't use "install" here as it would allow stealing existing directories
+            chown $info{owneruid}, $info{ownergid}, $info{'statstempdir'};
+        } else {
+            error "Could not create $info{'statstempdir'}: $!";
+        }
+    }
 }
 
 if ($> == 0) {
@@ -489,6 +502,16 @@
         (getpwuid $info{'owneruid'})[0].') or root';
 }
 
+# create socket directory (if it wasn't already created in /var/run/postgresql by the code above)
+if ($action ne 'stop' && ! -d $info{socketdir}) {
+    system 'install', '-d', '-m', 2775, $info{socketdir};
+}
+
+# create stats_temp_directory (if it wasn't already created in /var/run/postgresql by the code above)
+if ($action ne 'stop' && $info{config}->{stats_temp_directory} && ! -d $info{config}->{stats_temp_directory}) {
+    system 'install', '-d', '-m', 750, $info{config}->{stats_temp_directory};
+}
+
 $pg_ctl = $bindir ? "$bindir/pg_ctl" : get_program_path ('pg_ctl', $version);
 
 if ($action =~ /^(start|stop|restart|reload|status|promote)$/) {