openSUSE-SU-2023:0157-1: important: Security update for keepass
openSUSE Security Update: Security update for keepass ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0157-1 Rating: important References: #1211397 Cross-References: CVE-2023-32784 CVSS scores: CVE-2023-32784 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for keepass fixes the following issues: Update to 2.54 * Security: + Improved process memory protection of secure edit controls (CVE-2023-32784, boo#1211397). * New Features: + Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file. + Added dialog 'Enforce Options (All Users)' (menu 'Tools' ��� 'Advanced Tools' ��� 'Enforce Options'), which facilitates storing certain options in the enforced configuration file. + In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar. + The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated. + The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered. + Single line edit dialogs now support hiding the value using asterisks. + Commands that require elevation now have a shield icon like on Windows. + TrlUtil: added 'Move Selected Unused Text to Dialog Control' command. * Improvements: * The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default. * The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog). * When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used). * The clipboard workarounds are now disabled by default (they are not needed anymore on most systems). * Improved clipboard clearing. * Improved starting of an elevated process. * Bugfixes: + In report dialogs, the 'Print' and 'Export' commands now always use the actual data (in previous versions, asterisks were printed/exported when the application policy flag 'Unhide Passwords' was turned off). - Update to 2.53.1 * When testing a KDF ('Test' button in the database settings dialog), KeePass now spawns a child process that performs the KDF computation (which allows to cancel the test more cleanly in the case of excessive parameters; security is unaffected, because dummy data is used for the test). * Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data. * Minor other improvements. - Update to 2.53 * New Features: + For each entry listed on the 'History' tab page of the entry dialog, the fields modified with respect to the previous entry are displayed. + Added 'Compare' button on the 'History' tab page of the entry dialog; when two (not necessarily consecutive) history entries are selected, clicking the button shows a detailed comparison (with values, etc.). + When editing an entry, the history entry list of the entry dialog now contains an entry called 'Dialog (unsaved)', which represents all data entered in the current dialog (other tab pages). + When editing an entry, the history entry list of the entry dialog now contains an entry called 'Current (TIME)', which is the entry that is currently stored in the database (without any changes made in the current dialog). + Added 'History' command in the 'Find' main menu; it lists all entry modifications (sorted by time). + Added filter box in most report dialogs (last modified entries, history, large entries, similar password clusters, password quality, history entry comparison, database file search, ...). + Added 'Print' button in most report dialogs. + Added 'Export' button in most report dialogs; supported formats are CSV and HTML. + Added {EDGE} placeholder, which is replaced by the executable path of the new (Chromium-based) Microsoft Edge, if installed. + Added URL override suggestion for Microsoft Edge in private mode in the URL override suggestions drop-down list of the entry dialog. + Added optional built-in global URL overrides for opening HTTP/HTTPS URLs with Microsoft Edge in private mode. + When trying to rearrange entries while automatic sorting is activated, KeePass now asks whether to deactivate automatic sorting. + Added access keys in the tags button drop-down menu of the entry/group dialogs. + Added access keys in the 'View' ��� 'Sort By' menu. + Added access keys in the entry templates menu. + Added access keys in the 'Perform Auto-Type' menu (which is displayed if the 'Show additional auto-type menu commands' option is turned on). + Added {HMACOTP} and {TIMEOTP} in the 'Perform Auto-Type' menu. + Added keyboard shortcut Ctrl+T for the 'Copy Time-Based OTP' entry data command. + Added keyboard shortcut Ctrl+Shift+T for the 'Show Time-Based OTP' entry data command. + Enhanced Password Depot XML import module to support the new format (added support for the new node names, group icons, recycle bin, tags, favorites, auto-type delay conversion, history, enhanced icon mapping, enhanced date/time parsing, ...). + Added border for headings in HTML exports/printouts. + Added support for running KeePass in FIPS mode. * Improvements: + History entries listed on the 'History' tab page of the entry dialog are now sorted from newest to oldest. + The icons in the list on the 'History' tab page of the entry dialog now indicate the type of the entry. + History entry controls of the entry dialog are now disabled when creating a new entry. + The history entry 'Restore' button is now disabled when any change has been made in the current dialog. + The 'Password modified' time is now updated immediately when deleting a history entry. + Improved URL override suggestion for Microsoft Edge in the URL override suggestions drop-down list of the entry dialog (changed from 'microsoft-edge:{URL}' to 'cmd://{EDGE} "{URL}"'). + Improved optional built-in global URL overrides for opening HTTP/HTTPS URLs with Microsoft Edge (changed from 'microsoft-edge:{BASE}' to 'cmd://{EDGE} "{BASE}"'). + Reordered web browser URL overrides alphabetically. + Improved dynamic menu item access key assignment. + Improved item separation in the entry details view. + In most places, groups in a group path are now separated by right arrows instead of hyphens. + Improved last modification time comparison for plugin data dictionaries. + Unified generation of common HTML parts. + The 'Copy Initial Password' command in the 'Tools' menu of the entry dialog now requires the 'Copy' application policy flag. + Various UI text improvements. + Various code optimizations. + Minor other improvements. * Bugfixes: + The history entry 'Restore' button now always works as expected. - Update to 2.52 * New Features: + Added 'Copy Initial Password' command in the tools menu of the entry dialog; it copies (to the clipboard) the password that was current when the dialog was opened. + When multiple entries are selected (containing at least one attachment), the number of attachments is now displayed in the 'Attachments' submenu of the entry menu. + Added option 'Alt. item background color' (supporting the states 'Off', 'On, default color' and 'On, custom color'); this combines the previous two options 'Use alternating item background colors' and 'Custom alt. item color'. + Comment placeholders ({C:...}) may now contain balanced braces. + In the auto-type entry selection dialog, values in the 'Sequence - Comments' column are dereferenced now. + The time when the password of an entry was last changed is now displayed in the entry dialog on the 'History' tab page. + Added support for importing 1Password 8.7 1PUX files. + Added support for importing Key Folder 1.22 XML files. + Sticky Password XML import: added support for importing groups and expiry dates. + Steganos Password Manager CSV import: added support for the new encoding of double quotes. + Bitwarden JSON import: time-based one-time password generator settings are converted automatically now. + KeePass now checks the 'KeePass.exe.config' file and shows a warning message when finding a problem. + For development builds: added command for showing GC information. + Plugins can now load the header of a database file more easily. + Plugins can now subscribe to a master key change event. + TrlUtil: added workaround for .NET tab control focus bug. * Improvements: + Moved the command 'Save Attached File(s) To' into the 'Attachments' submenu of the entry menu and renamed it to 'Save File(s) To'. + The command for saving attached files is now available only if at least one of the selected entries has at least one attachment. + The {APPACTIVATE ...} auto-type command now ignores the options 'Cancel auto-type when the target window changes' and 'Cancel auto-type when the target window title changes'. + {APPACTIVATE ...} auto-type command: if the specified window does not exist or cannot be focused, auto-type is aborted now. + Unified creation of fields with indices. + Improved database modification state and UI updating after imports/synchronizations. + In the master key creation/prompt dialogs, the [OK] button is now disabled when checking the 'Key file/provider' check box and selecting '(None)' in the combo box. + Improved drop-down menu width adjustment for certain combo boxes in the options dialog. + Improved hashing performance of protected binaries, UUIDs, ... + Performance improvements related to empty arrays. + Improved Mono framework version detection. + TrlUtil: improved preview dialog update performance. + Various UI text improvements. + Various code optimizations. + Minor other improvements. * Bugfixes: * Fixed a bug that caused a minimized main window to be restored to a normal window instead of a maximized window in certain situations. * The 'Help' menu item in the entry dialog and the 'Help' button in the entry string field dialog now open the correct help sections. - Update to 2.51.1 * New Features: + Most dialogs with fixed size now detect whether they fit onto the current screen, and when a dialog does not fit (e.g. due to a very high DPI factor), its size is reduced and scroll bars are displayed. + Added plural entry command names in the main window (e.g. the command for editing the currently selected entry/entries is now called either 'Edit Entry' or 'Edit Entries', depending on the number of selected entries). + Added tooltip for the main part of the status bar of the main window. + Enhanced color buttons (tooltips, accessible names, ...) in the entry dialog, in the database settings dialog and in the options dialog. + Added 'Interface (2)' tab page in the options dialog, renamed the existing 'Interface' tab page to 'Interface (1)', moved some controls from 'Interface (1)' to 'Interface (2)'. + Enhanced font selection controls (with a checkbox that allows to return to the default, the button shows the currently selected font, tooltip, improved accessibility, ...) in the options dialog. + Added help links 'Dark theme' and 'Main font (size)' in the options dialog. + The options 'Custom alt. item color' and 'Esc keypress in main window' are now disabled if they are enforced (by an enforced configuration file). + Added support for opening URLs with Waterfox in private mode. + Added dialog for editing (HMAC-based and time-based) one-time password generator settings (can be opened using the 'OTP Generator Settings' commands in the entry dialog or in the 'Edit Entry (Quick)' menu of the main window). + Added entry commands 'Copy HMAC-Based OTP', 'Show HMAC-Based OTP', 'Copy Time-Based OTP' and 'Show Time-Based OTP' (in the 'Other Data' menu). + Added entry commands 'Copy Title' and 'Copy Notes' (in the 'Other Data' menu). + When switching to the 'Generate' tab page of the password generator dialog (no database open), the entropy collection dialog is displayed now, if the option 'Show dialog for collecting user input as additional entropy' is turned on. + Added option 'Colorize password characters' in the HTML export/print dialog; the colors are customizable. + Added options 'Custom main font' and 'Custom password font' in the HTML export/print dialog. + Added horizontal entry separator lines in tabular HTML exports/printouts. + In the plugins dialog, the 'Delete old files from cache automatically' option and the 'Clear' button are now disabled if they are enforced (by an enforced configuration file). + Plugins can now change the expiry date of an entry more easily. * Improvements: + Improved main window initialization performance. + Improved initial emergence of a minimized or maximized main window (less flickering, improved performance, ...). + Improved names/tooltips of the database toolbar buttons in the main window. + Improved handling of bold/italic list fonts. + Improved entry list update performance in certain situations. + Improved dynamic menu deconstruction performance. + Fields starting with 'HmacOtp-' or 'TimeOtp-' are not shown in the entry string copy menu anymore. + Improved tooltips and accessibility of password repetition text boxes. + When a dark theme is active, the error background color of text boxes is darker now. + Improved accessibility of expiry control groups. + The title of the master key creation/change dialog is now adjusted to the context. + Improved 'Compression' tab page of the database settings dialog (extended 'None' option description, improved accessibility, ...). + If no color has been specified, the 'Custom alt. item color' button in the options dialog now shows the default color. + Improved HTML generation for HTML exports/printouts. + Improved default fonts used when printing or exporting to HTML. + In block HTML exports/printouts, field names are not italic anymore (unless the user has selected an italic main font). + In HTML exports/printouts, all field values except passwords are trimmed now. + HTML exports/printouts: improved encoding of white-space characters in passwords. + Improved horizontal entry separator lines in block HTML exports/printouts. + TrlUtil: improved control classification. + Increased Authenticode certificate key length. + Improved entry list update performance when duplicating entries. + Various CHM/help improvements. + Various UI text improvements. + Various code optimizations. + Minor other improvements. * Bugfixes: + The option 'Use alternating item background colors' is now compatible with automatic sorting again. + The command line parameter '-preselect:' now works as expected when the option 'Clear master key command line parameters after using them once' is turned on. + Font selections in the options dialog are now applied only when closing the dialog with [OK]. + Fixed an entry list scrolling bug. - Update to 2.50 * New Features: + On most Linux systems, AES-KDF is now about 4 times as fast as before, if the 'libgcrypt' library is installed. + On most Linux systems, Argon2d and Argon2id are now about 3 times as fast as before (for default parameters), if the 'libargon2' library is installed. + The option 'Enter master key on secure desktop' is now also supported by master key prompt dialogs shown during imports, confirmations (before exporting, printing, changing the master key, ...) and trigger actions. + The option 'Enter master key on secure desktop' is now also supported by master key creation/change dialogs. + The key file/provider combo boxes in the master key dialogs now have a tooltip that shows the current value, if the value is very long. + Added password generation button in the entry string field dialog. + When double-clicking the title cell of an entry in the main entry list while holding down the Shift key, the title is now copied to the clipboard. + Added support for detecting the latest versions of Chromium on Unix-like systems (for 'Open with ...' commands in the 'URL(s)' menu, for the {GOOGLECHROME} placeholder, ...). + In the 'URL(s)' menu, there now are separate commands for Google Chrome and Chromium, if both are installed. + Enhanced support for detecting Vivaldi, Brave, Pale Moon and Epiphany. + Added support for importing Kaspersky Password Manager 9.0.2 TXT files. + Bitwarden import module: added support for importing subfolders, and collection names are now imported as tags. + In the 'About KeePass' dialog, each item in the components list now has a tooltip that shows the file/folder path of the component, if it is installed. + In the 'About KeePass' dialog, a double-click onto a component now shows the component file/folder with the file manager. + In the 'About KeePass' dialog, the components list now has a context menu that provides the following new commands: 'Show with File Manager', 'Copy Version/Status' and 'Copy Path'. * Improvements: + If the option 'An entry matches if one of its tags is contained in the target window title' is turned on, auto-type now additionally considers tags inherited from groups. + The built-in password generation patterns 'Hex Key - *-Bit' now use upper-case hexadecimal symbols. + Improved Spr variance check of the password generator (custom string references, ...). + All commands in the password generator menu (shown by the password generator buttons in entry/string dialogs) support the option 'Show dialog for collecting user input as additional entropy' now. * Bugfixes: + Column header context menus are not shown for non-report list views anymore. + When copying a URL to the clipboard fails, the main entry list is updated now. + Toggling the password generator option 'Show dialog for collecting user input as additional entropy' now causes a switch to the '(Custom)' profile. + In the TAN wizard dialog, group names containing ampersands are displayed correctly now. - Add recommends to libargon2-1 and libgrypt20 as Keepass can use those for faster operations. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-157=1 Package List: - openSUSE Backports SLE-15-SP4 (noarch): keepass-2.54-bp154.2.3.1 References: https://www.suse.com/security/cve/CVE-2023-32784.html https://bugzilla.suse.com/1211397
participants (1)
-
opensuse-security@opensuse.org