Version v7.8.3 (Stable)
With KeePass Client v7.8.0
Release Date
Mar 1st, 2018
These Release Notes detail the differences between this release and the previous Stable version.
Security
The following security concerns have been addressed in this release:
- Vulnerability Patch
- Summary:
- Additional information could be made accessible by leveraging existing authorized access and access information. Improvements have been made to Password Server's handling of user-related security information.
- In a local security context, insufficient output controls could allow an authenticated user opportunity to exploit handling system information, by entering values into the system.
- End-user authorized auto-fill of password credentials by browser or browser plugin could potentially be leveraged by a third-party script running on the same local website domain.
- Recommendation (optional): to further mitigate this concern: Disable Automatic Auto-Fill
- A knowledgeable person with access to a previously accessed and unsecured Password Server machine could leverage information to gain entry into the application.
- Status:
- This update resolves these concerns, along with the optional risk mitigation step of disabling auto-fill.
- Companies will be given 3 months to deploy this patch, before more specific information is disclosed.
- Summary:
- Acknowledgements: Pleasant Solutions would like to thank Profundis Labs for their security audit and for their participation and cooperation with us, in protecting our customers.
New Feature: Favourites Folders
- Available in Enterprise+
- Configured in Settings > Advanced Folders
- Favourite entries can be selected in the Web Client by clicking on the Star icon that appears in the Entry grid and viewed in either the Web Client or KeePass
- If a user has selected favourites, a Favourites folder will display above the Root folder
Improvements
- Can now copy entry username and open the password copy dialog from the right-click context menu in the Web Client.
- Users with a Reset Challenge Policy who have not met the requirements for that policy will now see a message informing them to complete enrollment to ensure they can reset.
- The 'Forgot Password' link on the login page can now be hidden in Enterprise+ from Settings > Appearance
- The 'Help' link in the site header can now be hidden in Enterprise+ from Settings > Appearance
- The folder that the web client starts on can now be set on Settings > Advanced Folders
- If the admin has set the starting folder to User Preference, then users can change this setting via Hello, [username] > Manage Account > Edit > Starting Folder
- NAS Identifier or IP Address can now be set for RADIUS Two Factor configurations
- All Reports with date range parameters now allow leaving a date field blank, to include events that occur since the very start, or events up until the current moment.
- Numerous Security and UI improvements
Bug Fixes
- Directory User Roles are now always checked using the credentials supplied in the directory config
- Fixed an issue where null Custom Field values could be saved into a Credential via the API, causing errors when read in the KeePass client
- Fixed an issue where the Two Factor Token dialog in KeePass would not always receive focus.
- Fixed an issue where the Copy Password dialog would not appear in Tag or Favourites folders.
- Right-click context menus in the Users and Roles grids now display the correct Actions again.
- Fixed an issue that could prevent a user from changing their personal language setting.
- The search field on the Web Client now properly recognizes Unicode characters.
Known Issues
- Upgrading from Versions 7.6.5 and earlier: Following a security improvement in 7.6.6, Enterprise Edition installs may require a change to their Access Levels to retain pre-update capabilities: See Can Only Grant Read-Only Permissions.
Compatibility Notes
- none