CVE-2017-7546 Ubuntu Security Notification for Postgresql-9.3, Postgresql-9.5, Postgresql-9.6 Vulnerabilities (USN-3390-1)

It was discovered that PostgreSQL allowed the use of empty passwords in some authentication methods, contrary to expected behaviour.

It was discovered that PostgreSQL incorrectly handled the pg_user_mappings catalog view.

It was discovered that PostgreSQL incorrectly handled lo_put() permissions.

A remote attacker could use an empty password to authenticate to servers that were believed to have password login disabled. (CVE-2017-7546)

A remote attacker without server privileges could possibly use this issue to obtain certain passwords. (CVE-2017-7547)

A remote attacker could possibly use this issue to change the data in a large object. (CVE-2017-7548)

Refer to Ubuntu advisory USN-3390-1 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

USN-3390-1: 14.04 (Kylin) on src (postgresql-9.3)

USN-3390-1: 17.04 (zesty) on src (postgresql-9.6)

USN-3390-1: 16.04 (Xenial) on src (postgresql-9.5)