CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2025/01/27 06:59:47
Modified files:
security/vaultwarden: Tag: OPENBSD_7_6 Makefile crates.inc
distinfo
security/vaultwarden/patches: Tag: OPENBSD_7_6 patch-Cargo_toml
Added files:
security/vaultwarden/patches: Tag: OPENBSD_7_6
patch-src_api_notifications_rs
patch-src_crypto_rs
patch-src_db_models_cipher_rs
Log message:
security/vaultwarden: update to 1.33.0
contains 3 security fixes:
- GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not
have an ADMIN_TOKEN configured and open links or pages you should not
trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your
admin environment save.
- GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone
was able to gain access to your Vaultwarden Admin Backend. The
attacker could then change some settings to use sendmail as mail agent
but adjust the settings in such a way that it would use a shell
command. It then also needed to craft a special favicon image which
would have the commands embedded to run during for example sending a
test email.
- GHSA-j4h8-vch3-f797: This vulnerability affects all users who have
multiple Organizations and users which are able to create a new
organization or have admin or owner rights on at least one
organization. The attacker does need to know the Organization UUID of
the Organization it want's to attack or compromise though.
Full changelog:
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.
OK: bket@ aisha@
