From ${URL} : An attacker can abuse KeePass 2's recommended automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page. External references: https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream's response: http://keepass.info/help/kb/sec_issues.html#updsig The above link talks about KeePass 2.34 but it doesn't appear it has been released yet. So let's wait and see. Since AFAIK there's no public repository, I think the only thing to do is to wait. I think this is not tragic in our context, typically the user might be led to think there's an updated version, but as long as it uses Portage everything should be fine. Our uses are not supposed to download anything from the website in any case. This said, upstream should use HTTPS everywhere on the website, while currently they are not. I just noticed in an hidden place in the website they also provide signatures for the source code using PGP. I'll check them from now on. http://keepass.info/integrity_sig.html I also verified that the last three versions of KeePass had a correct signature. I used the key with the following fingerprint (which I confirmed on pgp.mit.edu, the non-HTTPS website and keybase.io): 2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC Everything should be fine.
KeePass 2.34 has been released today. Full Changelog: http://keepass.info/news/n160611_2.34.html
I've tested the new version and the old ebuild works fine. We're good to go. On a side note, I asked upstream to sign the packages with a stronger PGP key: https://sourceforge.net/p/keepass/discussion/329220/thread/46872dc1/ Now they use a key with the following fingerprint: D950 4428 3EE9 48D9 11E8 B606 A4F7 62DC 58C6 F98E Here's the relevant part of the Manifest file: DIST KeePass-2.34-Source.zip 4744285 SHA256 e3f184e4deddd1aa5ee2b52e2373c772d3f3975e5eddb2fd729eb27b437011aa SHA512 a52fe7bb0cee60daa0428cf42cf2d6cfc5798fa52d535b10548880417bfe61458c5357ea3dfdb569571fa8aa958de05369c269e2dbb64af5cfa5c913fad521e0 WHIRLPOOL 2aeac242d5f1a342ec338cb442b8083f4dc72635d9bc8b02cd2aad4613ecf9f311cddf0832a3f1ebe03d881dce41d3a77edb097e3853967d467c2ce55b8d33cb
Thanks a lot, bumped in git. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e8059e6ba92d83a257549f6879cea55759aae85
amd64 stable
x86 stable and cleanup done
GLSA Vote: No.
