Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 2DD25A6615 for ; Wed, 9 Dec 2015 13:54:34 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id D066885E80; Wed, 9 Dec 2015 13:54:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 5E4DE85E5A for ; Wed, 9 Dec 2015 13:54:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id E_Er0oeiJK1x for ; Wed, 9 Dec 2015 13:54:33 +0000 (UTC) Received: from cvs.NetBSD.org (unknown [IPv6:2001:470:a085:999:28c:faff:fe03:5984]) by mail.netbsd.org (Postfix) with ESMTP id C246B85E1A for ; Wed, 9 Dec 2015 13:54:32 +0000 (UTC) Received: by cvs.NetBSD.org (Postfix, from userid 500) id BCA85FB80; Wed, 9 Dec 2015 13:54:32 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Date: Wed, 9 Dec 2015 13:54:32 +0000 From: "Thomas Klausner" Subject: CVS commit: pkgsrc/security/keepassx To: pkgsrc-changes@NetBSD.org Reply-To: wiz@netbsd.org X-Mailer: log_accum Message-Id: <20151209135432.BCA85FB80@cvs.NetBSD.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: wiz Date: Wed Dec 9 13:54:32 UTC 2015 Modified Files: pkgsrc/security/keepassx: Makefile distinfo Removed Files: pkgsrc/security/keepassx/patches: patch-src_lib_FileDialogs.cpp Log Message: Update keepassx to 0.4.4. Non-Windows CVE mentioned below was already fixed in pkgsrc. Changes: Two security flaws have been discovered in KeePassX 0.4.3. Version 2.0 has a different codebase and is not affected. * CVE-2015-8359: DLL Preloading vulnerability on Windows The version of Qt bundled with KeePassX 0.4.3 is vulnerable to a DDL preloading attack. This vulnerability only affects KeePassX on Windows. If successfully exploited, arbitrary code can be executed in the context of KeePassX. KeePassX 0.4.4 ships with Qt 4.8.7 and employs additional hardening measures. Thanks to Trenton Ivey from SecureWorks for reporting this vulnerability to us. * CVE-2015-8378: Canceling XML export function creates export as ".xml"āfile When canceling the "Export to > KeePassX XML file" function the cleartext passwords were still exported. In this case the password database was exported as the file ".xml" in the current working directory (often $HOME or the directory of the database). Originally reported as Debian bug #791858 KeePassX 0.4.4 fixes both vulnerabilities. To generate a diff of this commit: cvs rdiff -u -r1.31 -r1.32 pkgsrc/security/keepassx/Makefile cvs rdiff -u -r1.8 -r1.9 pkgsrc/security/keepassx/distinfo cvs rdiff -u -r1.1 -r0 \ pkgsrc/security/keepassx/patches/patch-src_lib_FileDialogs.cpp Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.