From ${URL} : It was found that XML export function in keepassx 0.4.3 creates hidden XML file containing user passwords in plaintext without warning, when the export is cancelled, which may go unnoticed by the user. CVE request: http://seclists.org/oss-sec/2015/q4/404 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
commit 40f4c38ff1f938261bac47902b28b6f465aa44b7 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Fri Dec 11 15:06:40 2015 app-admin/keepassx: Security bump to version 0.4.4 https://www.keepassx.org/news/2015/12/551 Fixes CVE-2015-8359 and CVE-2015-8378 Package-Manager: portage-2.2.26 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
By the way, the affected version (0.4.3) has been marked stable in Gentoo, so we need to react here.
Whiteboard corrected: Please advise when ready to go stable
Been in tree for more then 30 days, calling for stabilization. Arches, please test and mark stable: =app-admin/keepassx-0.4.4 Target Keywords : "amd64 ppc x86" Thank you!
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work. GLSA Vote: Yes New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Cleanup complete and opened for pending GLSA.
Bump. This has been resolved in the tree for a while now.
GLSA is long overdue and not required. GLSA Vote: No