For the first time in a while, we have a bunch of "low-risk" security fixes in this release, but no "critical" security fixes. The reason I put those terms in quotes is that it doesn't matter how critical the fixes are in general; it matters how critical they are to you. So you should definitely read over the release notes and the CVE notices to check how they affect you.
All five of the security holes patched require prior authentication. Four of the five have not been proven to have an actual privilege escalation vector; they may be only denial-of-service attacks. And the fifth security issue only affects you if you are using per-column privileges for columns with constraints on them. That's why I regard these issues as relatively "low-risk".
There are also some important fixes to performance and replication for versions 9.4 and 9.3, so users of those versions should apply the update soon. For other users, unless you live in the Fiji Islands or other places affected by timezone changes, you can probably wait for your next scheduled maintenance window. You do have scheduled maintenance windows, yes?
Other people who might care to apply this update sooner rather than later include:
- Users who have already had issues with autovacuum
- People using the new logical decoding
- Users who have a single archive which is shared between master and replicas.
- Folks who create a bunch of tablespaces.
- Developers who use tsquery, xpath(), and/or complex regular expression searches
- JSONB users.
- Norwegians who use Postgres on Windows
- Users who have reported bugs with explicit locking and deadlocking in the last few months.