This release contains security fixes for the following advisories:
- GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization
Vault
- GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read
And Write Access Into Another Organization
- GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp
rotation
Changes: https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5
This release contains security fixes:
- GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to
access a cipher from a different user (fully encrypted) if they
already know its internal UUID.
- GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with
manager-level access within an organization to modify collections they
can access, even if they do not have management permissions for them.
- GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with
manager-level access within an organization to modify collections they
are not assigned. These are private for now, pending CVE assignment.
Changes: https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4
GHSA-h265-g7rm-h337 (Publication in process, waiting for CVE
assignment). This vulnerability would allow an authenticated attacker
that is part of an organization to access items from collections to
which the attacker does not belong.
Changes:
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3
contains 3 security fixes:
- GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not
have an ADMIN_TOKEN configured and open links or pages you should not
trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your
admin environment save.
- GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone
was able to gain access to your Vaultwarden Admin Backend. The
attacker could then change some settings to use sendmail as mail agent
but adjust the settings in such a way that it would use a shell
command. It then also needed to craft a special favicon image which
would have the commands embedded to run during for example sending a
test email.
- GHSA-j4h8-vch3-f797: This vulnerability affects all users who have
multiple Organizations and users which are able to create a new
organization or have admin or owner rights on at least one
organization. The attacker does need to know the Organization UUID of
the Organization it want's to attack or compromise though.
Full changelog:
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.
Diff from bket@
OK: semarie@ bket@ aisha@
From https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5:
This release further fixed some CVE Reports reported by a third party
security auditor and we recommend everybody to update to the latest
version as soon as possible. The contents of these reports will be
disclosed publicly in the future.
Tested by and OK from kirill@, aisha@
From https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.4:
This release has fixed some CVE Reports reported by a third party
security auditor and we recommend everybody to update to the latest
version as soon as possible. The contents of these reports will be
disclosed publicly in the future.
OK aisha@
The mysqlclient-sys crate only bundles libmysqlclient bindings for arm64
and x86 (i386 is marked as BROKEN though). This lets the other
vaultwarden FLAVORS build on eg riscv64.
ok aisha@ (maintainer)
Found that .env is not created in www/vaultwarden/data/ when installing
vaultwarden, which is caused by www/vaultwarden/data/ being created as
last step.
If we need to make an exception we can do it and properly document the
reason but by default we should just use the default login class.
rc.d uses daemon or the login class provided in login.conf.d so this has
no impact there.
discussed with sthen@, tb@ and robert@
praying that my grep/sed skills did not break anything and still
believing in portbump :-)
the rust std library has been changed to not try to reallocate
a guard page on the stack.
as the rust std library is statically linked in rust programs,
bump REVISION to force reinstall.
bket