Main PageTwo security flaws have been discovered in KeePassX 0.4.3.
Version 2.0 has a different codebase and is not affected.
- CVE-2015-8359: DLL Preloading vulnerability on Windows
The version of Qt bundled with KeePassX 0.4.3 is vulnerable to a DDL preloading attack.
This vulnerability only affects KeePassX on Windows.
If successfully exploited, arbitrary code can be executed in the context of KeePassX.
KeePassX 0.4.4 ships with Qt 4.8.7 and employs additional hardening measures.
Thanks to Trenton Ivey from SecureWorks for reporting this vulnerability to us. - CVE-2015-8378: Canceling XML export function creates export as “.xml” file
When canceling the “Export to > KeePassX XML file” function the cleartext passwords were still exported.
In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database).
Originally reported as Debian bug #791858
KeePassX 0.4.4 fixes both vulnerabilities.
It is available as a source tarball and Windows / Mac OS X binaries: Download
The OS X bundle contains only a 64bit binary (compared to 0.4.3 which shipped as i386 and powerpc).
The fix for CVE-2015-8378 is also available as a patch: CVE-2015-8378.patch
We will still provide security support for the 0.4 series for some time but please consider updating to version 2.0 instead.
Thanks for releasing KeePassX 2.0 and continuing to provide security support for version 0.4! I just noticed that Debian Sid is still on version 0.4.3. That means that Ubuntu won’t be getting KeePassX 2.0 for a long while, unfortunately. I try to minimize compiling executables from source because that defeats the purpose of a package manager in a Linux distribution.
write to debian maintainers:
https://packages.debian.org/sid/keepassx
see also http://www.getdeb.net/welcome/
I am so sad to hear that OSX 10.6 will no longer be supported, even if I can understand the reasons. I will be hoping someone will fix at least the security issues for this OS version.
Thanks for your great work,
Emanuele
OS X had more vulnerabilities than every other software product that has CVEs published. iOS was second on the list, Adobe products took 3rd with Adobe Flash Player and 4th, 5th and 6th for other Adobe products… then came IE.
So, if you are running OS X 10.6, then you are in trouble, at least at great risk. Update to the latest version, if you don’t then you will be so lost as Apple won’t keep the older version updated.
We need .deb packages [at the very least and not just testing or SID] and other options too for KeePassX 2.x …. Gentoo and others should be supported. Heck, it wouldn’t be bad to add Solaris variants as well, such as SmartOS, OmniOS or OpenIndiana.
Thank very much for all your support. I work with Ubunto and with MS 10 and very happy to use keepass. I think I did the right choice.
Please keep me informed of your products.
Kind regards,
Klaus
Thanks for continuing to support this product. Due to various device restrictions I am bound to 0.4 for the near future. Will upgrade to 2 as soon as I can.
I like 0.4.4 better, and when I tried 2.0, I was disappointed, seriously, I didn’t find 2.0 working better, in fact the opposite, worse.
I don’t see the ability to change the Columns, so I’m stuck with more information displayed that I don’t need to see.
Global Auto Type Shortcut was just awful in 2.0, most of the sites I vist, that I have in 0.4.4 would not respond to the short cut keys I have assigned, so I had to constantly open 2.0 and perform auto type to get it to work, way to much effort.
Now that was version 2.0
Now I see it’s at version 2.0.3, so I wonder has any of this improved?
Better Global Auto Type Shortcut support?
Ability to remove columns?
Sorry, I forgot to mention the Auto Type Window was not working as smoothly as it does in 0.4.4, another reason I’m not using it…
Hopefully the Auto Type Window support is better in 2.0.3
KeePassX 2.0.2 is a great example, that sometimes new software release can be much worse than the old one. A lot of useful options were cut out. Excellent Bruce Schneier`s Twofish encryption algorithm was cut out!!! Why? Why we should be tied to AES? I do NOT trust that it is unbeatable! 0.4.3 was way much better and convenient to use!
Please keep this version going as an alternative to 2.x.
I do not like the latest 2.x version, I think 0.4.4 is much nicer in Linux!
THANK YOU
Does anyone know what command to type to apply the patch to get it to 0.4.4?
I can’t install it from scratch as the make command fails.
lib/random.cpp: In function ‘void initStdRand()’:
lib/random.cpp:98:19: error: ‘getpid’ was not declared in this scope
stream << getpid();
^
make[1]: *** [../build/random.o] Error 1
make[1]: Leaving directory `/home/terimint/Downloads/keepassx-0.4.4/src'
make: *** [sub-src-make_default] Error 2
Follow the commands here below.
The INSTALL file unfortunately and stupidly gives not a proper description, how to install
cd ~/Downloads/
tar -xvf keepassx-0.4.4.tar.gz
cd keepassx-0.4.4/
sudo yum install qt-devel qt-config gcc-c++ libXtst-devel
# you should give your sudo password
qmake-qt4
#It will takes a bit time, just wait patiently
make
make install
chmod -R 777 /usr/share/keepassx
tada!
i want to know these anything i can do to get master password? because i total forget it
I hope that there will be continued support for the 0.4.x series of KeePassX. I like the layout and functionality better than the 2.x.x series.
Thanks for the great program.
Also a request,
Shiki, you can fix the “‘getpid’ was not declared in this scope” problem by editing the file keepassx-0.4.4/src/lib/random.cpp and adding ‘#include ‘ (no quotes) underneath ‘#include “random.h”‘. This is a known problem.
For others struggling to get even this far, on Linux you need these packages: ‘sudo apt-get install qt4-qmake libqt4-dev g++ libxtst-dev’
Like others, I prefer the features of the 0.4.4 version, as I have several machines that access the database and don’t want to upgrade them all. Also I like the password generator, which was dropped from 2.0
Sorry, that should have said ”#include ”
What’s happening with this comment software? It’s dropping anything enclosed in < and >. What I’m trying to say is ‘#include <unistd.h>’. Tip: use the html escape sequences.
Thank you very much adginald! I’d almost given up.
Can confirm adding #include underneath #include “random.h fixed the problem for me. Now I have 0.4.4!
Good post, keep
Protect all of my account
Hi admin i see you don’t monetize your website. You can earn extra
$$$ easily, search on youtube for: how to earn selling articles
Thanks for your post. This is information that I’m interested.
please come back to develop 0.4…!!!
hi. I have a problem with my keepass. I can open my keepass early but now i try open and nothing happend
Please help me anything
Thank you for your sharing. Thanks to this article I can learn more things. Expand your knowledge and abilities. Actually the article is very practical. Thank you!