BUG #8628: md5 security hole

The following bug has been logged on the website:

Bug reference:      8628
Logged by:          Robert Nichols0n
Email address:      rob@northleaf.com
PostgreSQL version: 9.3.1
Operating system:   Ubuntu Desktop 64 bit
Description:

I am able to login without a password when the password field is null. If
the field is not null the functionality seems normal, I get rejected unless
the password is correct.  This makes password based login ridiculous.  Is
this a bug or designed in? I login with my own code (Qt based) or with
pgAdmin III and I find the same bug. Is it not possible to require a
password at login?


My pg_hba.conf is:
# TYPE  DATABASE        USER            ADDRESS                 METHOD


# "local" is for Unix domain socket connections only
#local   all             all                                       md5
# IPv4 local connections:
hostssl    all             all             127.0.0.1/32            md5
# IPv6 local connections:
#host    all             all             ::1/128                 trust


Thank you.