qtpass (1.2.1-1~bpo9+1) stretch-backports; urgency=medium

  All passwords generated with QtPass' built-in password generator prior to
  1.2.1 are possibly predictable and enumerable by hackers.
  While the default configuration in stretch is not vulnerable, the situation
  is different for users of stretch-backports. In August 2017 a new version of
  `pass` was uploaded to stretch-backports which doesn't recommend `pwgen`
  anymore. This means that QtPass will probably have used the built-in password
  generator since then. Please change all passwords you generated with QtPass
  since August 2017.

 -- Philip Rinn <rinni@inventati.org>  Mon, 08 Jan 2018 00:38:34 +0100

qtpass (1.2.1-1) unstable; urgency=high

  All passwords generated with QtPass' built-in password generator prior to
  1.2.1 are possibly predictable and enumerable by hackers.
  The generator used libc's random(), seeded with srand(msecs), where msecs is
  not the msecs since 1970 (not that that'd be secure anyway), but rather the
  msecs since the last second. This means there are only 1000 different
  sequences of generated passwords.
  .
  NB: QtPass uses `pwgen` to generate passwords by default. This means, if you
  didn't change the configuration to use the built-in password generator your
  passwords are safe. If you used the built-in password generator, change all
  passwords you generated with QtPass.

 -- Philip Rinn <rinni@inventati.org>  Thu, 04 Jan 2018 21:45:48 +0100

