On Sun 26/01/2025 09:57, Kirill A. Korinsky wrote: > On Sat, 25 Jan 2025 22:05:57 +0100, > Bjorn Ketelaars <b...@openbsd.org> wrote: > > > > Diff below updates vaultwarden to 1.33.0, which contains 3 security > > fixes: > > - GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not > > have an ADMIN_TOKEN configured and open links or pages you should not > > trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your > > admin environment save. > > - GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone > > was able to gain access to your Vaultwarden Admin Backend. The > > attacker could then change some settings to use sendmail as mail agent > > but adjust the settings in such a way that it would use a shell > > command. It then also needed to craft a special favicon image which > > would have the commands embedded to run during for example sending a > > test email. > > - GHSA-j4h8-vch3-f797: This vulnerability affects all users who have > > multiple Organizations and users which are able to create a new > > organization or have admin or owner rights on at least one > > organization. The attacker does need to know the Organization UUID of > > the Organization it want's to attack or compromise though. > > > > Overview on changes can be found at > > https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0. > > > > Run tested on amd64. > > > > OK/comments? > > > > Tested on -current/amd64 with www/vaultwarden-web-2025.1.1. > > OK kirill@ for both ports. > > Do you plan to backport it to -stable?
I tried to backport vaultwarden-1.33.0, and failed. This update has set minimal rust version to 1.8.3. Building with rust-1.8.1, which we have in -stable, fails with the errors below. Maybe this could be fixed by (partially) reverting relevant commits [0, 1]. Not sure if this works, and more important, if this is the right way forward. Backporting the latter would be easy, backporting the first is not trivial as it breaks other stuff. Long story short, I do not have plans to backport vaultwarden-1.33.0 to -stable. [0] https://github.com/dani-garcia/vaultwarden/commit/dfd9e653963a72fd45822c7fd26186b0bf72844d [1] https://github.com/dani-garcia/vaultwarden/commit/327d369188a134909284b43692bdfac25f7751bd error[E0658]: use of unstable library feature 'is_none_or' --> src/db/models/cipher.rs:282:59 | 282 | ... && (type_data_json["keyFingerprint"].as_str().is_none_or(|v| v.is_e... | ^^^^^^^^^^ | = note: see issue #126383 <https://github.com/rust-lang/rust/issues/126383> for more information error[E0658]: use of unstable library feature 'is_none_or' --> src/db/models/cipher.rs:283:58 | 283 | ... || type_data_json["privateKey"].as_str().is_none_or(|v| v.is_empty()) | ^^^^^^^^^^ | = note: see issue #126383 <https://github.com/rust-lang/rust/issues/126383> for more information error[E0658]: use of unstable library feature 'is_none_or' --> src/db/models/cipher.rs:284:57 | 284 | ... || type_data_json["publicKey"].as_str().is_none_or(|v| v.is_empty())) | ^^^^^^^^^^ | = note: see issue #126383 <https://github.com/rust-lang/rust/issues/126383> for more information error[E0658]: referencing statics in constants is unstable --> src/crypto.rs:9:39 | 9 | const DIGEST_ALG: pbkdf2::Algorithm = pbkdf2::PBKDF2_HMAC_SHA256; | ^^^^^^^^^^^^^^^^^^^^^^^^^^ | = note: see issue #119618 <https://github.com/rust-lang/rust/issues/119618> for more information = note: `static` and `const` variables can refer to other `const` variables. A `const` variable, however, cannot refer to a `static` variable. = help: to fix this, the value can be extracted to a `const` and then used. Some errors have detailed explanations: E0602, E0658. For more information about an error, try `rustc --explain E0602`. warning: `vaultwarden` (bin "vaultwarden") generated 4 warnings (2 duplicates) error: could not compile `vaultwarden` (bin "vaultwarden") due to 4 previous errors; 4 warnings emitted
