Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858 Debian patch: http://anonscm.debian.org/cgit/collab-maint/keepassx.git/commit/?id=b3c9028db8ec3b8752ff47717ffc792d755c1294
A commit references this bug: Author: junovitch Date: Tue Dec 8 00:28:48 UTC 2015 New revision: 403244 URL: https://svnweb.freebsd.org/changeset/ports/403244 Log: Document information disclosure in KeePassX PR: 205105 Security: CVE-2015-8378 Security: https://vuxml.FreeBSD.org/freebsd/918a5d1f-9d40-11e5-8f5c-002590263bf5.html Changes: head/security/vuxml/vuln.xml
Documented as 0.4.4 at this time and I'm moving on to the next issue to research. We can fix it to 0.4.3_2 if we import the patch.
Created attachment 164097 [details] KeePassX-04.4.patch Steve, It hasn't hit the SF mirrors but I appended the upstream page after the SF MASTER_SITES. I also added desktop-file-utils to address this QA issue noted in Poudriere. Warning: you need USES=desktop-file-utils I've only checked 11.0 i386 Poudriere so far and the rest of the builds will go overnight with dependencies. You are more than welcome to take for yourself or drop an 'Approved by:' assuming my overnight builds look good.
Poudriere clean on: 9.3-RELEASE-p30 amd64 9.3-RELEASE-p30 i386 10.1-RELEASE-p24 amd64 10.1-RELEASE-p24 i386 11.0-CURRENT r291793 amd64 11.0-CURRENT r291793 i386 Adding 'patch-ready'
A commit references this bug: Author: junovitch Date: Wed Dec 23 00:22:31 UTC 2015 New revision: 404271 URL: https://svnweb.freebsd.org/changeset/ports/404271 Log: security/keepassx: update 0.4.3 -> 0.4.4 - Update MASTER_SITES. Upstream no longer uses SVN or SourceForge infrastructure. See http://sourceforge.net/p/keepassx/code/387/ - USES: Add desktop-file-utils PR: 205105 Approved by: maintainer timeout (2 weeks) Security: CVE-2015-8378 Security: https://vuxml.FreeBSD.org/freebsd/918a5d1f-9d40-11e5-8f5c-002590263bf5.html MFH: 2015Q4 Changes: head/security/keepassx/Makefile head/security/keepassx/distinfo
A commit references this bug: Author: junovitch Date: Wed Dec 23 20:19:51 UTC 2015 New revision: 404318 URL: https://svnweb.freebsd.org/changeset/ports/404318 Log: MFH: r404271 security/keepassx: update 0.4.3 -> 0.4.4 - Update MASTER_SITES. Upstream no longer uses SVN or SourceForge infrastructure. See http://sourceforge.net/p/keepassx/code/387/ - USES: Add desktop-file-utils PR: 205105 Approved by: maintainer timeout (2 weeks) Approved by: ports-secteam (feld) Security: CVE-2015-8378 Security: https://vuxml.FreeBSD.org/freebsd/918a5d1f-9d40-11e5-8f5c-002590263bf5.html Changes: _U branches/2015Q4/ branches/2015Q4/security/keepassx/Makefile branches/2015Q4/security/keepassx/distinfo
Update committed with minor variations from attached patch and merged to quarterly. As mentioned in the commit message SourceForge is no longer in use so the original MASTER_SITES change in the attached patch was not correct.