CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2025/01/27 06:59:12
Modified files:
security/vaultwarden: Makefile crates.inc distinfo
security/vaultwarden/patches: patch-Cargo_toml
Log message:
security/vaultwarden: update to 1.33.0
contains 3 security fixes:
- GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not
have an ADMIN_TOKEN configured and open links or pages you should not
trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your
admin environment save.
- GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone
was able to gain access to your Vaultwarden Admin Backend. The
attacker could then change some settings to use sendmail as mail agent
but adjust the settings in such a way that it would use a shell
command. It then also needed to craft a special favicon image which
would have the commands embedded to run during for example sending a
test email.
- GHSA-j4h8-vch3-f797: This vulnerability affects all users who have
multiple Organizations and users which are able to create a new
organization or have admin or owner rights on at least one
organization. The attacker does need to know the Organization UUID of
the Organization it want's to attack or compromise though.
Full changelog:
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.
Diff from bket@
OK: semarie@ bket@ aisha@
