Version v7.6.6 (Stable)
With KeePass Client v7.6.5
Release Date
May 16th, 2017
These Release Notes detail the differences between this release and the last Stable version (7.5.15).
For information about the "Latest" versions in between, see Older And In-between Versions.
Security
- Vulnerability Patch
- Summary:
- Extra confidential information could be made accessible only for accounts that have already been compromised by other means.
- Requirements:
- An unauthorized user would have to have already obtained the correct username and password
- An unauthorized user would have to have knowledge of login requirements.
- Scope of Impact:
- User would have to already have gained access to an authorized account on the Password Server.
- The entries along with any further activities would display as usual in Password Server's auditing and history features.
- Status:
- This vulnerability has been fixed in this release.
- Companies will be given 3 months to deploy this patch, before more specific information regarding the vulnerability is revealed.
- Update:
- One type of two-factor authentication would be too lenient in validating responses that are similar but not an exact match. Exploiting this would require the login account password to already be known and for the second factor to be similar to the correct response.
Risks would be further mitigated by a standard user lockout policy which locks after multiple failed login attempts, as repeated attempts would be required for unauthorized persons to gain access within the timed period.
This issue was fixed in version 7.6.4 and later releases, and no further action is required from administrators after updating.
- One type of two-factor authentication would be too lenient in validating responses that are similar but not an exact match. Exploiting this would require the login account password to already be known and for the second factor to be similar to the correct response.
- Versions Affected: 7.0.1 - 7.6.3
- Summary:
New Feature: Editable Email Templates
- Available in Enterprise+ under Advanced > Email > Email Templates
- Allows administrators to edit the text of the emails sent by Password Server.
- See Email Templates for more information.
New Feature: Direct Linking
- Can now link directly to Entries in the Web Client
- In KeePass for Password Server:
- Right-Click Entry/Folder > Open in Web Client OR Copy Link to Entry/Folder
- Right-Click Entry > View History Now opens Entry History dialog on main Web Client page
- In Web Client:
- Home page > Actions > Copy Link to Entry
- Home page > Folder Actions > Copy Link to Folder
Improvements
- Improved client loading times.
- Reorganized layout of Admin functionality.
- Settings page sections have moved:
- Private Folder Settings are now under Users and Roles > Manage > Private Folders
- General, Email and Appearance Settings are all under Settings
- SSO Settings are now under SSO Server > SSO Settings
- Client Config is now under Advanced > Clients > Client Configuration
- Password Profiles are now under Advanced > Entries > Password Profiles
- Current License information is now under License > Status
- Subscription Settings are now under License > Email Subscription
- The main Logging page is now under Logging > Logged Events
- Logging Settings are now under Logging > Event Settings
- Syslog Config is now under Logging > Syslog Configuration
- Settings page sections have moved:
- The Security dialog in the Web Client has been renamed to User Access for clarity. The View Security access level permission has been renamed to View User Access to reflect this.
- The Permissions access level permission has been renamed to Permit Granting for clarity.
- Added the News Feed and Version Information to License > Status
- News Feed and New Version Information visibility can be toggled from Settings > Appearance
- The display of a redirection page can be toggled from Settings > General
- The number of used and available users is now displayed on Users and Roles > Manage > Users
- Options in Settings > General warn admin when the number of available seats drops below a set amount.
- Password Access Report has been renamed to User Access History Report and moved under Access Reports.
- New Report:
- Password Access History: Displays all users who have accessed a credential over a given time period.
- Can also be accessed from Actions > Access History on an Entry in the Web Client.
- Password Access History: Displays all users who have accessed a credential over a given time period.
- Membership of local Roles can now be edited from Users and Roles > Roles > Actions > Set Users
- Our Google Authenticator and RADIUS Two-Factor implementations now support Self Enrollment.
- To enable Self Enrollment:
- Go to Users and Role > Manage > Policies and click the name of the Policy to enable it for
- Click the [Configure] link for Google Authenticator or RADIUS (Two Factor Policy section) and make sure "User Can Self-Enroll in this Provider" is checked.
- To enable Self Enrollment:
- Administrators can now specify the full file path for automated backups.
- This allows backing up to another machine over a network.
- Restores must still be performed using a database on the machine hosting Password Server.
- When Blocking Access Inheritance for entries and folders, users will now have the option to add the current access rules directly to the blocked item. They can be deleted once it has been ensured that access has been set up properly.
- The "Use Password SSO Server" role permission has been phased out. The system will now only check if the user has "Use Via SSO" access to an entry when they attempt to sign in with SSO.
- Syncing a Directory User will now update their username if it has changed since they were imported
- In the Web Client, users can now access the Actions menus for Entries and Folders by right-clicking the row in the grid or folder in the tree.
- Users can now duplicate credentials and folders from the Web Client
- Report schedules can now only be modified by the user who created them
- Added clarifying text that reports are generated with the permission of the user who created them. All users receive the same report
- Report Schedules will now display error messages if changes to the Password Server have invalidated any of the report parameters.
- Enterprise+ customers can now change the background colour of the Web Client in Settings > Appearance.
- The temporary placeholder certificate will now use SHA-2. This change does not affect existing certificates. It is recommended that System Admins configure their Password Server with a Self-Signed Certificate or a 3rd Party Certificate
- Disabled users will no longer appear in the dropdowns for User Access, Comment Settings, Notification Settings
- Improved KeePass, Active Directory Performance
- Improved logging and error handling in Password AutoChanger.
- Various other improvements and fixes to Web and Keepass client presentation and stability
Bug Fixes
- Fixed an issue that would require web client users to clear their cache after a server upgrade
- Server no longer hangs after failure to change an account password
- Fixed an issue which could prevent using Password Server's Backup and Restore feature to migrate directly from SQLite to a different database type.
- HTTP SSO can now use different placeholders to distinguish between different credentials for the same site
- Fixed an issue that could prevent the Web Client from opening a folder with more than 1000 entries
- Fixed an issue where the Policy rules regarding changes to a user's display name, phone number and email where not being applied for Reset Users
- All attempts to reset a user's password are now logged whether they succeed or fail. Audit logs of failed attempts will record the username of the account
- Fixed an issue where users with access to permit other users to Grant access to folders and entries could grant Access Levels containing the following without having the correct Grant access: Grant View User Access, Grant Modify Notification Settings, Grant Modify Comment Settings, Grant Modify Password AutoChange, Grant View Recorded Sessions
- RDP SSO Server now properly creates the SSO Root Certificate if it does not already exist
- Fixed an issue where the Launch RDP SSO links were not starting RDP SSO Client. Requires users to update their RDP SSO Client from the SSO Server Status page
- Changing the sorting in a Folder will no longer cause hidden Custom Field columns to become shown
- Fixed issues that could prevent viewing and saving of Report Schedules
- Fixed an issue in our KeePass client where Entries added to a Folder that had just been created by duplicating another Folder would not be pushed to the Server.
Known Issues
- Upgrading from Versions 7.6.5 and earlier: Following a security improvement in 7.6.6, Enterprise Edition installs may require a change to their Access Levels to retain pre-update capabilities: See Can Only Grant Read-Only Permissions
Compatibility Notes
- none