Monatsarchiv für December 2015
Two security flaws have been discovered in KeePassX 0.4.3.
Version 2.0 has a different codebase and is not affected.
- CVE-2015-8359: DLL Preloading vulnerability on Windows
The version of Qt bundled with KeePassX 0.4.3 is vulnerable to a DDL preloading attack.
This vulnerability only affects KeePassX on Windows.
If successfully exploited, arbitrary code can be executed in the context of KeePassX.
KeePassX 0.4.4 ships with Qt 4.8.7 and employs additional hardening measures.
Thanks to Trenton Ivey from SecureWorks for reporting this vulnerability to us.
- CVE-2015-8378: Canceling XML export function creates export as “.xml” file
When canceling the “Export to > KeePassX XML file” function the cleartext passwords were still exported.
In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database).
Originally reported as Debian bug #791858
KeePassX 0.4.4 fixes both vulnerabilities.
It is available as a source tarball and Windows / Mac OS X binaries: Download
The OS X bundle contains only a 64bit binary (compared to 0.4.3 which shipped as i386 and powerpc).
The fix for CVE-2015-8378 is also available as a patch: CVE-2015-8378.patch
We will still provide security support for the 0.4 series for some time but please consider updating to version 2.0 instead.
We’re proud to announce the first stable release of the KeePassX 2 series after several years of development.
KeePassX 2.0 is using the new .kdbx (same as KeePass 2) database format.
You can import your .kdb database from 0.4 from the Database > Import KeePass 1 database.
This is a one-way process though. You can’t migrate back to the .kdb format.
New features include:
- Multiple attachments per entry
- Add custom key/value pairs to entries
- Open multiple database in one window
KeePassX 2.0 has been rewritten from scratch so some features (like showing expired passwords) are still missing.
The important changes compared to beta 2 are:
- Improve UI of the search edit.
- Clear clipboard when locking databases. [#342]
- Enable Ctrl+M shortcut to minimize the window on all platforms. [#329]
- Show a better message when trying to open an old database format. [#338]
- Fix global auto-type behavior with some window managers.
- Show global auto-type window on the active desktop. [#359]
- Disable systray on OS X. [#326]
- Restore main window when clicking on the OS X docker icon. [#326]
You can fetch the new release from the downloads page.