With KeePass Client v7.1.15
Sept 28, 2015
These Release Notes detail the differences between this release and the last version of any type (7.1.13).
- Vulnerability Patch
- 1-2 pieces of specific confidential information could be made accessible to select individuals who already have significant, but not full, access to the system.
- Unauthorized individual (attacker) would first require access to the file system on the machine where Password Server was installed.
- A second individual with authorized access to a particular credential would need to insert specific, unlikely, information into a particular credential entry.
- Scope of Impact:
- That specific entry involved in requirement #2 above would potentially be acessible to the individual in requirement #2.
- No other entries would be revealed.
- Entry would not be revealed to individuals who do not have file system access to the Password Server.
- This vulnerability has been fixed in this release.
- Companies will be given 1 month to deploy this patch, before more specific information regarding the vulnerability is revealed.
- The vulnerability fixed in the 7.1.15 patch resulted in the ‘WebLogs.txt’ files logging sensitive information if particular values were present in the entry. To remove this information, search the files for ‘zxcvbn’ and delete the log lines. By default the WebLogs files are located in C:/ProgramData/Pleasant Solutions/Password Server.
- Versions Affected: 7.0.4 - 7.1.13
- System Admins can now subscribe to our coming mailing list for security alerts and release annoucements.
- The 'Disconnect/Go Offline' button no longer appears in KeePass if the user does not have offline access to any credentials.
- Fixed an issue that could cause a failure with the optimized version 6 to 7 upgrades on Postgres Database.
- Fixed an issue with KeePass custom icons after the optimized version 6 to 7 that prevented KeePass from connecting to Password Server.
- Fixed an issue where a Client Config could not be set to be enforced for 'Everyone'
- Fixed an issue where KeePass would shut down after failing to connect to a server and being told not to fallback to Offline Mode.
- Fixed an issue where Password Server would potentially log edits to Entries twice and if a comment was required for the edit, display two consecutive comment dialogs.
- Fixed an issue where KeePass could encounter an error if an OAuth Token expired and required Two-Factor Authentication to refresh.
- Fixed an error where KeePass would not untray when in Offline Mode.
- Folders with non-default built-in icons (eg ) may have those icons replaced by the default icon ( or ). (Fixed in KeePass Client 7.1.16+)
- Old versions of Client apps that do not support the Usage Comment feature will not be able to perform actions that have "require comments" turned on. Make sure you also have the latest KeePass Client if you wish to use these features.
- Nested AD/LDAP groups cannot be imported in Password Server Version 7.0.1 - 7.3.5.
- Internet Explorer 8 is no longer supported in Password Server Version ≥ 7.0.1.
- In Internet Explorer, The Password Server must be viewed with Compatability Mode turned off. Some IE settings force intranet sites to be viewed in Compatability Mode; if these settings cannot be disabled, accessing the Web Client using its fully qualified domain name can get around these settings.