An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.