SUSE 5001 Published by

A keepass security update has been released for SUSE Linux Enterprise 15 SP4.



openSUSE-SU-2023:0157-1: important: Security update for keepass


openSUSE Security Update: Security update for keepass
_______________________________

Announcement ID: openSUSE-SU-2023:0157-1
Rating: important
References: #1211397
Cross-References: CVE-2023-32784
CVSS scores:
CVE-2023-32784 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP4
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for keepass fixes the following issues:

Update to 2.54

* Security:

+ Improved process memory protection of secure edit controls
(CVE-2023-32784, boo#1211397).

* New Features:

+ Triggers, global URL overrides, password generator profiles and a
few more settings are now stored in the enforced configuration file.
+ Added dialog 'Enforce Options (All Users)' (menu 'Tools' â
'Advanced Tools' â 'Enforce Options'), which facilitates storing
certain options in the enforced configuration file.
+ In report dialogs, passwords (and other sensitive data) are now
hidden using asterisks by default (if hiding is activated in the
main window); the hiding can be toggled using the new '***' button
in the toolbar.
+ The 'Print' command in most report dialogs now requires the 'Print'
application policy flag, and the master key must be entered if the
'Print - No Key Repeat' application policy flag is deactivated.
+ The 'Export' command in most report dialogs now requires the
'Export' application policy flag, and the master key must be entered.
+ Single line edit dialogs now support hiding the value using
asterisks.
+ Commands that require elevation now have a shield icon like on
Windows.
+ TrlUtil: added 'Move Selected Unused Text to Dialog Control' command.
* Improvements:
* The content mode of the configuration elements
'/Configuration/Application/TriggerSystem',
'/Configuration/Integration/UrlSchemeOverrides' and
'/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by
default.
* The built-in override for the 'ssh' URI scheme is now deactivated by
default (it can be activated in the 'URL Overrides' dialog).
* When opening the password generator dialog without a derived
profile, the '(Automatically generated passwords for new entries)'
profile is now selected by default, if profiles are enabled
(otherwise the default profile is used).
* The clipboard workarounds are now disabled by default (they are not
needed anymore on most systems).
* Improved clipboard clearing.
* Improved starting of an elevated process.

* Bugfixes:

+ In report dialogs, the 'Print' and 'Export' commands now always use
the actual data (in previous versions, asterisks were
printed/exported when the application policy flag 'Unhide Passwords'
was turned off).

- Update to 2.53.1

* When testing a KDF ('Test' button in the database settings dialog),
KeePass now spawns a child process that performs the KDF computation
(which allows to cancel the test more cleanly in the case of excessive
parameters; security is unaffected, because dummy data is used for the
test).
* Removed the 'Export - No Key Repeat' application policy flag; KeePass
now always asks for the current master key when trying to export data.
* Minor other improvements.

- Update to 2.53

* New Features:

+ For each entry listed on the 'History' tab page of the entry dialog,
the fields modified with respect to the previous entry are displayed.
+ Added 'Compare' button on the 'History' tab page of the entry
dialog; when two (not necessarily consecutive) history entries are
selected, clicking the button shows a detailed comparison (with
values, etc.).
+ When editing an entry, the history entry list of the entry dialog
now contains an entry called 'Dialog (unsaved)', which represents
all data entered in the current dialog (other tab pages).
+ When editing an entry, the history entry list of the entry dialog
now contains an entry called 'Current (TIME)', which is the entry
that is currently stored in the database (without any changes made
in the current dialog).
+ Added 'History' command in the 'Find' main menu; it lists all entry
modifications (sorted by time).
+ Added filter box in most report dialogs (last modified entries,
history, large entries, similar password clusters, password quality,
history entry comparison, database file search, ...).
+ Added 'Print' button in most report dialogs.
+ Added 'Export' button in most report dialogs; supported formats are
CSV and HTML.
+ Added {EDGE} placeholder, which is replaced by the executable path
of the new (Chromium-based) Microsoft Edge, if installed.
+ Added URL override suggestion for Microsoft Edge in private mode in
the URL override suggestions drop-down list of the entry dialog.
+ Added optional built-in global URL overrides for opening HTTP/HTTPS
URLs with Microsoft Edge in private mode.
+ When trying to rearrange entries while automatic sorting is
activated, KeePass now asks whether to deactivate automatic sorting.
+ Added access keys in the tags button drop-down menu of the
entry/group dialogs.
+ Added access keys in the 'View' â 'Sort By' menu.
+ Added access keys in the entry templates menu.
+ Added access keys in the 'Perform Auto-Type' menu (which is
displayed if the 'Show additional auto-type menu commands' option is
turned on).
+ Added {HMACOTP} and {TIMEOTP} in the 'Perform Auto-Type' menu.
+ Added keyboard shortcut Ctrl+T for the 'Copy Time-Based OTP' entry
data command.
+ Added keyboard shortcut Ctrl+Shift+T for the 'Show Time-Based OTP'
entry data command.
+ Enhanced Password Depot XML import module to support the new format
(added support for the new node names, group icons, recycle bin,
tags, favorites, auto-type delay conversion, history, enhanced icon
mapping, enhanced date/time parsing, ...).
+ Added border for headings in HTML exports/printouts.
+ Added support for running KeePass in FIPS mode.

* Improvements:

+ History entries listed on the 'History' tab page of the entry dialog
are now sorted from newest to oldest.
+ The icons in the list on the 'History' tab page of the entry dialog
now indicate the type of the entry.
+ History entry controls of the entry dialog are now disabled when
creating a new entry.
+ The history entry 'Restore' button is now disabled when any change
has been made in the current dialog.
+ The 'Password modified' time is now updated immediately when
deleting a history entry.
+ Improved URL override suggestion for Microsoft Edge in the URL
override suggestions drop-down list of the entry dialog (changed
from 'microsoft-edge:{URL}' to 'cmd://{EDGE} "{URL}"').
+ Improved optional built-in global URL overrides for opening
HTTP/HTTPS URLs with Microsoft Edge (changed from
'microsoft-edge:{BASE}' to 'cmd://{EDGE} "{BASE}"').
+ Reordered web browser URL overrides alphabetically.
+ Improved dynamic menu item access key assignment.
+ Improved item separation in the entry details view.
+ In most places, groups in a group path are now separated by right
arrows instead of hyphens.
+ Improved last modification time comparison for plugin data
dictionaries.
+ Unified generation of common HTML parts.
+ The 'Copy Initial Password' command in the 'Tools' menu of the entry
dialog now requires the 'Copy' application policy flag.
+ Various UI text improvements.
+ Various code optimizations.
+ Minor other improvements.

* Bugfixes:

+ The history entry 'Restore' button now always works as expected.

- Update to 2.52

* New Features:

+ Added 'Copy Initial Password' command in the tools menu of the entry
dialog; it copies (to the clipboard) the password that was current
when the dialog was opened.
+ When multiple entries are selected (containing at least one
attachment), the number of attachments is now displayed in the
'Attachments' submenu of the entry menu.
+ Added option 'Alt. item background color' (supporting the states
'Off', 'On, default color' and 'On, custom color'); this combines
the previous two options 'Use alternating item background colors'
and 'Custom alt. item color'.
+ Comment placeholders ({C:...}) may now contain balanced braces.
+ In the auto-type entry selection dialog, values in the 'Sequence -
Comments' column are dereferenced now.
+ The time when the password of an entry was last changed is now
displayed in the entry dialog on the 'History' tab page.
+ Added support for importing 1Password 8.7 1PUX files.
+ Added support for importing Key Folder 1.22 XML files.
+ Sticky Password XML import: added support for importing groups and
expiry dates.
+ Steganos Password Manager CSV import: added support for the new
encoding of double quotes.
+ Bitwarden JSON import: time-based one-time password generator
settings are converted automatically now.
+ KeePass now checks the 'KeePass.exe.config' file and shows a warning
message when finding a problem.
+ For development builds: added command for showing GC information.
+ Plugins can now load the header of a database file more easily.
+ Plugins can now subscribe to a master key change event.
+ TrlUtil: added workaround for .NET tab control focus bug.

* Improvements:

+ Moved the command 'Save Attached File(s) To' into the 'Attachments'
submenu of the entry menu and renamed it to 'Save File(s) To'.
+ The command for saving attached files is now available only if at
least one of the selected entries has at least one attachment.
+ The {APPACTIVATE ...} auto-type command now ignores the options
'Cancel auto-type when the target window changes' and 'Cancel
auto-type when the target window title changes'.
+ {APPACTIVATE ...} auto-type command: if the specified window does
not exist or cannot be focused, auto-type is aborted now.
+ Unified creation of fields with indices.
+ Improved database modification state and UI updating after
imports/synchronizations.
+ In the master key creation/prompt dialogs, the [OK] button is now
disabled when checking the 'Key file/provider' check box and
selecting '(None)' in the combo box.
+ Improved drop-down menu width adjustment for certain combo boxes in
the options dialog.
+ Improved hashing performance of protected binaries, UUIDs, ...
+ Performance improvements related to empty arrays.
+ Improved Mono framework version detection.
+ TrlUtil: improved preview dialog update performance.
+ Various UI text improvements.
+ Various code optimizations.
+ Minor other improvements.

* Bugfixes:

* Fixed a bug that caused a minimized main window to be restored to a
normal window instead of a maximized window in certain situations.
* The 'Help' menu item in the entry dialog and the 'Help' button in
the entry string field dialog now open the correct help sections.

- Update to 2.51.1

* New Features:

+ Most dialogs with fixed size now detect whether they fit onto the
current screen, and when a dialog does not fit (e.g. due to a very
high DPI factor), its size is reduced and scroll bars are displayed.
+ Added plural entry command names in the main window (e.g. the
command for editing the currently selected entry/entries is now
called either 'Edit Entry' or 'Edit Entries', depending on the
number of selected entries).
+ Added tooltip for the main part of the status bar of the main window.
+ Enhanced color buttons (tooltips, accessible names, ...) in the
entry dialog, in the database settings dialog and in the options
dialog.
+ Added 'Interface (2)' tab page in the options dialog, renamed the
existing 'Interface' tab page to 'Interface (1)', moved some
controls from 'Interface (1)' to 'Interface (2)'.
+ Enhanced font selection controls (with a checkbox that allows to
return to the default, the button shows the currently selected font,
tooltip, improved accessibility, ...) in the options dialog.
+ Added help links 'Dark theme' and 'Main font (size)' in the options
dialog.
+ The options 'Custom alt. item color' and 'Esc keypress in main
window' are now disabled if they are enforced (by an enforced
configuration file).
+ Added support for opening URLs with Waterfox in private mode.
+ Added dialog for editing (HMAC-based and time-based) one-time
password generator settings (can be opened using the 'OTP Generator
Settings' commands in the entry dialog or in the 'Edit Entry
(Quick)' menu of the main window).
+ Added entry commands 'Copy HMAC-Based OTP', 'Show HMAC-Based OTP',
'Copy Time-Based OTP' and 'Show Time-Based OTP' (in the 'Other Data'
menu).
+ Added entry commands 'Copy Title' and 'Copy Notes' (in the 'Other
Data' menu).
+ When switching to the 'Generate' tab page of the password generator
dialog (no database open), the entropy collection dialog is
displayed now, if the option 'Show dialog for collecting user input
as additional entropy' is turned on.
+ Added option 'Colorize password characters' in the HTML export/print
dialog; the colors are customizable.
+ Added options 'Custom main font' and 'Custom password font' in the
HTML export/print dialog.
+ Added horizontal entry separator lines in tabular HTML
exports/printouts.
+ In the plugins dialog, the 'Delete old files from cache
automatically' option and the 'Clear' button are now disabled if
they are enforced (by an enforced configuration file).
+ Plugins can now change the expiry date of an entry more easily.

* Improvements:

+ Improved main window initialization performance.
+ Improved initial emergence of a minimized or maximized main window
(less flickering, improved performance, ...).
+ Improved names/tooltips of the database toolbar buttons in the main
window.
+ Improved handling of bold/italic list fonts.
+ Improved entry list update performance in certain situations.
+ Improved dynamic menu deconstruction performance.
+ Fields starting with 'HmacOtp-' or 'TimeOtp-' are not shown in the
entry string copy menu anymore.
+ Improved tooltips and accessibility of password repetition text
boxes.
+ When a dark theme is active, the error background color of text
boxes is darker now.
+ Improved accessibility of expiry control groups.
+ The title of the master key creation/change dialog is now adjusted
to the context.
+ Improved 'Compression' tab page of the database settings dialog
(extended 'None' option description, improved accessibility, ...).
+ If no color has been specified, the 'Custom alt. item color' button
in the options dialog now shows the default color.
+ Improved HTML generation for HTML exports/printouts.
+ Improved default fonts used when printing or exporting to HTML.
+ In block HTML exports/printouts, field names are not italic anymore
(unless the user has selected an italic main font).
+ In HTML exports/printouts, all field values except passwords are
trimmed now.
+ HTML exports/printouts: improved encoding of white-space characters
in passwords.
+ Improved horizontal entry separator lines in block HTML
exports/printouts.
+ TrlUtil: improved control classification.
+ Increased Authenticode certificate key length.
+ Improved entry list update performance when duplicating entries.
+ Various CHM/help improvements.
+ Various UI text improvements.
+ Various code optimizations.
+ Minor other improvements.

* Bugfixes:

+ The option 'Use alternating item background colors' is now
compatible with automatic sorting again.
+ The command line parameter '-preselect:' now works as expected when
the option 'Clear master key command line parameters after using
them once' is turned on.
+ Font selections in the options dialog are now applied only when
closing the dialog with [OK].
+ Fixed an entry list scrolling bug.

- Update to 2.50

* New Features:

+ On most Linux systems, AES-KDF is now about 4 times as fast as
before, if the 'libgcrypt' library is installed.
+ On most Linux systems, Argon2d and Argon2id are now about 3 times as
fast as before (for default parameters), if the 'libargon2' library
is installed.
+ The option 'Enter master key on secure desktop' is now also
supported by master key prompt dialogs shown during imports,
confirmations (before exporting, printing, changing the master key,
...) and trigger actions.
+ The option 'Enter master key on secure desktop' is now also
supported by master key creation/change dialogs.
+ The key file/provider combo boxes in the master key dialogs now have
a tooltip that shows the current value, if the value is very long.
+ Added password generation button in the entry string field dialog.
+ When double-clicking the title cell of an entry in the main entry
list while holding down the Shift key, the title is now copied to
the clipboard.
+ Added support for detecting the latest versions of Chromium on
Unix-like systems (for 'Open with ...' commands in the 'URL(s)'
menu, for the {GOOGLECHROME} placeholder, ...).
+ In the 'URL(s)' menu, there now are separate commands for Google
Chrome and Chromium, if both are installed.
+ Enhanced support for detecting Vivaldi, Brave, Pale Moon and
Epiphany.
+ Added support for importing Kaspersky Password Manager 9.0.2 TXT
files.
+ Bitwarden import module: added support for importing subfolders, and
collection names are now imported as tags.
+ In the 'About KeePass' dialog, each item in the components list now
has a tooltip that shows the file/folder path of the component, if
it is installed.
+ In the 'About KeePass' dialog, a double-click onto a component now
shows the component file/folder with the file manager.
+ In the 'About KeePass' dialog, the components list now has a context
menu that provides the following new commands: 'Show with File
Manager', 'Copy Version/Status' and 'Copy Path'.
* Improvements:
+ If the option 'An entry matches if one of its tags is contained in
the target window title' is turned on, auto-type now additionally
considers tags inherited from groups.
+ The built-in password generation patterns 'Hex Key - *-Bit' now use
upper-case hexadecimal symbols.
+ Improved Spr variance check of the password generator (custom string
references, ...).
+ All commands in the password generator menu (shown by the password
generator buttons in entry/string dialogs) support the option 'Show
dialog for collecting user input as additional entropy' now.
* Bugfixes:
+ Column header context menus are not shown for non-report list views
anymore.
+ When copying a URL to the clipboard fails, the main entry list is
updated now.
+ Toggling the password generator option 'Show dialog for collecting
user input as additional entropy' now causes a switch to the
'(Custom)' profile.
+ In the TAN wizard dialog, group names containing ampersands are
displayed correctly now.

- Add recommends to libargon2-1 and libgrypt20 as Keepass can use those
for faster operations.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-157=1

Package List:

- openSUSE Backports SLE-15-SP4 (noarch):

keepass-2.54-bp154.2.3.1

References:

https://www.suse.com/security/cve/CVE-2023-32784.html
https://bugzilla.suse.com/1211397