From the KeePass site: http://keepass.info/help/kb/sec_issues.html#updsig<p><i>In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512).<p>KeePass 2.34 and higher only accept such a digitally signed version information file. This solution is more secure than just using HTTPS, because it guarantees version information safety even when the webserver is compromised (the private key for signing the version information is not stored on the webserver).</i><p>Downloads page: http://keepass.info/download.html<p>Edit:
The update has NOT yet been released, as of (CET 11:30 2016-06-06)
This is a partial fix, but it's not enough. An attacker performing man-in-the-middle attack can respond with the previous version of "version information file", preventing the update.<p>Imagine if there's a vulnerability in one version of KeePass2, and the fix is available for it. MiTM attacker sends the previous version so that the app doesn't know that there's an update, and the attacker has more time to use the vulnerability.<p>HTTPS prevents this. They should do both.
> Downloads page: <i>http</i>://keepass.info/download.html<p>I still see a glaring MitM vulnerability…<p>Until the author actually switches to HTTPS, network operators can simply hijack the original downloads page in the first place. This update is barely a mitigation.<p>If he wants more ad revenue, his only option is to find another ad network. Eventually someone else is going to start hosting a popular fork on a different HTTPS site if he keeps stubbornly ignoring this issue.
Why not just switch to using The Update Framework (TUF)[1]. It solves many, many, many attacks against updating systems and we really should be using it everywhere.<p>[1]: <a href="https://theupdateframework.github.io/" rel="nofollow">https://theupdateframework.github.io/</a>
My question is: Would they have released this update if the person who came forward about the fact that KeePass said that they wouldn't fix it didn't?
Allowing these type of programs to autonotify of updates and self-update should be considered bad practice and a high security risk.<p>Why risk a malicious MITM-ed update? The keepass site should just provide portable zips and off-site hashes and sigs for verification.