Hi, QtPass uses `pwgen` to generate passwords by default. This means, if you didn't change the configuration to use the built-in password generator your passwords are safe. If you used the built-in password generator, change all passwords you generated with QtPass.
So, the number of affected people using the Ubuntu/Debian version should be rather low. Nonetheless there are fixed version available in bionic and I prepared a fix for qtpass 1.1.6 (the version in artful) which Ubuntu could copy from Debian stable-proposed-updates. You should point the Ubuntu security team to the fixed version for artful (1.1.6-1+deb9u1) and ask them to copy it from Debian s-p-u. Hope that helps Philip ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18021 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1747954 Title: qtpass generates possibly predictable and enumerable passwords To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtpass/+bug/1747954/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
