KeePassX 0.4.4 Security Update released

Two security flaws have been discovered in KeePassX 0.4.3.
Version 2.0 has a different codebase and is not affected.

  • CVE-2015-8359: DLL Preloading vulnerability on Windows
    The version of Qt bundled with KeePassX 0.4.3 is vulnerable to a DDL preloading attack.
    This vulnerability only affects KeePassX on Windows.
    If successfully exploited, arbitrary code can be executed in the context of KeePassX.
    KeePassX 0.4.4 ships with Qt 4.8.7 and employs additional hardening measures.
    Thanks to Trenton Ivey from SecureWorks for reporting this vulnerability to us.
  • CVE-2015-8378: Canceling XML export function creates export as “.xml” file
    When canceling the “Export to > KeePassX XML file” function the cleartext passwords were still exported.
    In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database).
    Originally reported as Debian bug #791858

KeePassX 0.4.4 fixes both vulnerabilities.
It is available as a source tarball and Windows / Mac OS X binaries: Download
The OS X bundle contains only a 64bit binary (compared to 0.4.3 which shipped as i386 and powerpc).
The fix for CVE-2015-8378 is also available as a patch: CVE-2015-8378.patch

We will still provide security support for the 0.4 series for some time but please consider updating to version 2.0 instead.

No Comments and Pings are allowed at this moment.

36 Responses to “KeePassX 0.4.4 Security Update released”

  1. thepirateking says:

    Thanks for releasing KeePassX 2.0 and continuing to provide security support for version 0.4! I just noticed that Debian Sid is still on version 0.4.3. That means that Ubuntu won’t be getting KeePassX 2.0 for a long while, unfortunately. I try to minimize compiling executables from source because that defeats the purpose of a package manager in a Linux distribution.

  2. Emanuele says:

    I am so sad to hear that OSX 10.6 will no longer be supported, even if I can understand the reasons. I will be hoping someone will fix at least the security issues for this OS version.
    Thanks for your great work,

  3. Andre McGlashan says:

    OS X had more vulnerabilities than every other software product that has CVEs published. iOS was second on the list, Adobe products took 3rd with Adobe Flash Player and 4th, 5th and 6th for other Adobe products… then came IE.

    So, if you are running OS X 10.6, then you are in trouble, at least at great risk. Update to the latest version, if you don’t then you will be so lost as Apple won’t keep the older version updated.

    We need .deb packages [at the very least and not just testing or SID] and other options too for KeePassX 2.x …. Gentoo and others should be supported. Heck, it wouldn’t be bad to add Solaris variants as well, such as SmartOS, OmniOS or OpenIndiana.

  4. Klaus Brueck says:

    Thank very much for all your support. I work with Ubunto and with MS 10 and very happy to use keepass. I think I did the right choice.
    Please keep me informed of your products.

    Kind regards,

  5. Iain Forbes says:

    Thanks for continuing to support this product. Due to various device restrictions I am bound to 0.4 for the near future. Will upgrade to 2 as soon as I can.

  6. Tusi Tusanio says:

    I like 0.4.4 better, and when I tried 2.0, I was disappointed, seriously, I didn’t find 2.0 working better, in fact the opposite, worse.

    I don’t see the ability to change the Columns, so I’m stuck with more information displayed that I don’t need to see.

    Global Auto Type Shortcut was just awful in 2.0, most of the sites I vist, that I have in 0.4.4 would not respond to the short cut keys I have assigned, so I had to constantly open 2.0 and perform auto type to get it to work, way to much effort.

    Now that was version 2.0

    Now I see it’s at version 2.0.3, so I wonder has any of this improved?

    Better Global Auto Type Shortcut support?

    Ability to remove columns?

  7. Tusi Tusanio says:

    Sorry, I forgot to mention the Auto Type Window was not working as smoothly as it does in 0.4.4, another reason I’m not using it…

    Hopefully the Auto Type Window support is better in 2.0.3

  8. Denis says:

    KeePassX 2.0.2 is a great example, that sometimes new software release can be much worse than the old one. A lot of useful options were cut out. Excellent Bruce Schneier`s Twofish encryption algorithm was cut out!!! Why? Why we should be tied to AES? I do NOT trust that it is unbeatable! 0.4.3 was way much better and convenient to use!

  9. Jodi says:

    Please keep this version going as an alternative to 2.x.

    I do not like the latest 2.x version, I think 0.4.4 is much nicer in Linux!


  10. Shiki says:

    Does anyone know what command to type to apply the patch to get it to 0.4.4?

    I can’t install it from scratch as the make command fails.

    lib/random.cpp: In function ‘void initStdRand()’:
    lib/random.cpp:98:19: error: ‘getpid’ was not declared in this scope
    stream << getpid();
    make[1]: *** [../build/random.o] Error 1
    make[1]: Leaving directory `/home/terimint/Downloads/keepassx-0.4.4/src'
    make: *** [sub-src-make_default] Error 2

    • holzbenedek says:

      Follow the commands here below.
      The INSTALL file unfortunately and stupidly gives not a proper description, how to install

      cd ~/Downloads/
      tar -xvf keepassx-0.4.4.tar.gz
      cd keepassx-0.4.4/

      sudo yum install qt-devel qt-config gcc-c++ libXtst-devel
      # you should give your sudo password
      #It will takes a bit time, just wait patiently
      make install
      chmod -R 777 /usr/share/keepassx


  11. lusapho says:

    i want to know these anything i can do to get master password? because i total forget it

  12. Skaendo says:

    I hope that there will be continued support for the 0.4.x series of KeePassX. I like the layout and functionality better than the 2.x.x series.

    Thanks for the great program.

    Also a request,

  13. adginald says:

    Shiki, you can fix the “‘getpid’ was not declared in this scope” problem by editing the file keepassx-0.4.4/src/lib/random.cpp and adding ‘#include ‘ (no quotes) underneath ‘#include “random.h”‘. This is a known problem.

    For others struggling to get even this far, on Linux you need these packages: ‘sudo apt-get install qt4-qmake libqt4-dev g++ libxtst-dev’

    Like others, I prefer the features of the 0.4.4 version, as I have several machines that access the database and don’t want to upgrade them all. Also I like the password generator, which was dropped from 2.0

  14. adginald says:

    Sorry, that should have said ”#include ”

  15. adginald says:

    What’s happening with this comment software? It’s dropping anything enclosed in < and >. What I’m trying to say is ‘#include <unistd.h>’. Tip: use the html escape sequences.

  16. Shiki says:

    Thank you very much adginald! I’d almost given up.

    Can confirm adding #include underneath #include “random.h fixed the problem for me. Now I have 0.4.4!

  17. Briana says:

    Protect all of my account

  18. JerryX says:

    Hi admin i see you don’t monetize your website. You can earn extra
    $$$ easily, search on youtube for: how to earn selling articles

  19. Thanks for your post. This is information that I’m interested.

  20. mr Bird says:

    please come back to develop 0.4…!!!

  21. Egor says:

    hi. I have a problem with my keepass. I can open my keepass early but now i try open and nothing happend

    Please help me anything

  22. color switch says:

    Thank you for your sharing. Thanks to this article I can learn more things. Expand your knowledge and abilities. Actually the article is very practical. Thank you!