PostgreSQL 9.5 CVE security issue

We are using Chef Infra Server inside the standalone or Chef HA backend solution, they both have postgreSQL 9.5.x embedded in, now our security team is asking if following 3 CVE is applicable to Chef products:

  • CVE-2021-32027
  • CVE-2021-32028
  • CVE-2021-32029

We don't find them in your Chef release notes, but because the PostgreSQL used in chef products are old (9.5), above CVE shows up in security team's scan list. Could someone check and confirm whether these CVE are relevant to any chef product, and why or why not they are relevant?

What is more, is there any reason these Chef product (even the Chef Automate is using older postgreSQL behind the scene) choose to use an older version of PostgreSQL, and how to address CVE issues like above if those CVE only says they are relevant if PostgreSQL is under a particular version?