New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
KeepassX 0.43 Security Flaws
Debian 8 packs keepassx 0.43 via apt, so you might be interested.
apt-cache policy keepassx
keepassx:
Installed: (none)
Candidate: 0.4.3+dfsg-0.1
Version table:
0.4.3+dfsg-0.1 0
500 http://ftp.uk.debian.org/debian/ jessie/main i386 Packages
https://www.keepassx.org/news/2015/12/551
Two security flaws have been discovered in KeePassX 0.4.3.
Version 2.0 has a different codebase and is not affected.
CVE-2015-8359: DLL Preloading vulnerability on Windows
The version of Qt bundled with KeePassX 0.4.3 is vulnerable to a DDL preloading attack.
This vulnerability only affects KeePassX on Windows.
If successfully exploited, arbitrary code can be executed in the context of KeePassX.
KeePassX 0.4.4 ships with Qt 4.8.7 and employs additional hardening measures.
Thanks to Trenton Ivey from SecureWorks for reporting this vulnerability to us.
CVE-2015-8378: Canceling XML export function creates export as “.xml” file
When canceling the “Export to > KeePassX XML file” function the cleartext passwords were still exported.
In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database).
Originally reported as Debian bug #791858
KeePassX 0.4.4 fixes both vulnerabilities.
It is available as a source tarball and Windows / Mac OS X binaries: Download
The OS X bundle contains only a 64bit binary (compared to 0.4.3 which shipped as i386 and powerpc).
The fix for CVE-2015-8378 is also available as a patch: CVE-2015-8378.patch
We will still provide security support for the 0.4 series for some time but please consider updating to version 2.0 instead.
WTF is keepassx
- WTF is keepassx39 votes
- I use it.35.90%
- I don't use it.30.77%
- I'd use it, but prefer paying instead.0.00%
- I've got to buy some servers tonight, so shut up.0.00%
- Hmpf, running out of popcorn.0.00%
- Got to shag that club-foot brunette down at Walmart.2.56%
- Server porn arriving from amazon. BRB.2.56%
- 8th sense.0.00%
- Non sense.2.56%
- 10 commandment of password management.7.69%
- One more for RM_, in case he wants to vote on something else not listed.17.95%
Comments
I don't know why they bother maintaining two versions of the same product. I used to use the 0.x version then switched to 2.x because it offers more features and looked like it had better security options all around.
Well, I think they worry about linux distros' outdated package managers.
People are really conservative with their votes.
Nice Poll!
Should allow multi vote
nice to see @rm_ got his votes.
Second one is pretty bad, but unfortunately not uncommon for code from, shall we say... "C and C++ land". Lots of questionably structured code like that floating around. Unfortunately one such issue also existed in one of the KeePassX 2.x alphas, where it would not disable the "Copy Password" button when locking a database.