Ubuntu Security Notice 3390-1 - Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that PostgreSQL allowed the use of empty passwords in some authentication methods, contrary to expected behaviour. A remote attacker could use an empty password to authenticate to servers that were believed to have password login disabled. Jeff Janes discovered that PostgreSQL incorrectly handled the pg_user_mappings catalog view. A remote attacker without server privileges could possibly use this issue to obtain certain passwords. Various other issues were also addressed. Continue reading...
