vaultwarden-1.35.4 contains security fixes for the following advisories. - GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID. - GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them. - GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.
Overview on all changes can be found at https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4. Getting this update to build on -stable is tricky as it needs a newer version of rust. I 'fixed' this by partly reverting a recent commit [0]. I did some light testing using the diff below. Additional tests would be helpful. [0] https://github.com/dani-garcia/vaultwarden/pull/6843 Index: Makefile =================================================================== RCS file: /cvs/ports/security/vaultwarden/Makefile,v diff -u -p -r1.49.2.2 Makefile --- Makefile 11 Feb 2026 07:49:57 -0000 1.49.2.2 +++ Makefile 24 Feb 2026 20:16:39 -0000 @@ -8,7 +8,7 @@ BROKEN-i386 = raw-cpuid-10.2.0/src/lib. COMMENT = unofficial bitwarden compatible server -DIST_TUPLE = github dani-garcia vaultwarden 1.35.3 . +DIST_TUPLE = github dani-garcia vaultwarden 1.35.4 . CATEGORIES = security Index: distinfo =================================================================== RCS file: /cvs/ports/security/vaultwarden/distinfo,v diff -u -p -r1.29.2.2 distinfo --- distinfo 11 Feb 2026 07:49:57 -0000 1.29.2.2 +++ distinfo 24 Feb 2026 20:16:39 -0000 @@ -636,7 +636,7 @@ SHA256 (cargo/zmij-1.0.20.tar.gz) = TemN SHA256 (cargo/zstd-0.13.3.tar.gz) = 6R7jEaVpwycXFlFWbgeXIgDnb8/iJCpPpEYUmjiBwIo= SHA256 (cargo/zstd-safe-7.2.4.tar.gz) = j0nE1fCrtgKpP7hzavKk9N2VEuNvf1cNZuZf+GftO50= SHA256 (cargo/zstd-sys-2.0.16+zstd.1.5.7.tar.gz) = keGevCrcj4PkMDnnl3bj/ajKkZEy1oof7WpfrKJoN0g= -SHA256 (dani-garcia-vaultwarden-1.35.3.tar.gz) = cgXBv48Fp9uJx3wyE84fjjXgbEU/ppAPhJVCNGzKsmE= +SHA256 (dani-garcia-vaultwarden-1.35.4.tar.gz) = 8oaJ6mTOnPoWabRJWPIpp0q8n7BkKF2LN+BksoiI5rc= SIZE (cargo/adler2-2.0.1.tar.gz) = 13366 SIZE (cargo/aes-0.8.4.tar.gz) = 124812 SIZE (cargo/ahash-0.8.12.tar.gz) = 43413 @@ -1275,4 +1275,4 @@ SIZE (cargo/zmij-1.0.20.tar.gz) = 26975 SIZE (cargo/zstd-0.13.3.tar.gz) = 30514 SIZE (cargo/zstd-safe-7.2.4.tar.gz) = 29350 SIZE (cargo/zstd-sys-2.0.16+zstd.1.5.7.tar.gz) = 775620 -SIZE (dani-garcia-vaultwarden-1.35.3.tar.gz) = 720993 +SIZE (dani-garcia-vaultwarden-1.35.4.tar.gz) = 718913 Index: patches/patch-Cargo_lock =================================================================== RCS file: patches/patch-Cargo_lock diff -N patches/patch-Cargo_lock --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-Cargo_lock 24 Feb 2026 20:16:39 -0000 @@ -0,0 +1,820 @@ +Index: Cargo.lock +--- Cargo.lock.orig ++++ Cargo.lock +@@ -16,7 +16,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546 + dependencies = [ + "cfg-if", + "cipher", +- "cpufeatures 0.2.17", ++ "cpufeatures", + ] + + [[package]] +@@ -93,7 +93,7 @@ checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbf + dependencies = [ + "base64ct", + "blake2", +- "cpufeatures 0.2.17", ++ "cpufeatures", + "password-hash", + ] + +@@ -173,9 +173,9 @@ dependencies = [ + + [[package]] + name = "async-executor" +-version = "1.14.0" ++version = "1.13.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "c96bf972d85afc50bf5ab8fe2d54d1586b4e0b46c97c50a0c9e71e2f7bcd812a" ++checksum = "497c00e0fd83a72a79a39fcbd8e3e2f055d6f6c7e025f3b3d91f4f8e76527fb8" + dependencies = [ + "async-task", + "concurrent-queue", +@@ -360,9 +360,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe95 + + [[package]] + name = "aws-config" +-version = "1.8.14" ++version = "1.8.13" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "8a8fc176d53d6fe85017f230405e3255cedb4a02221cb55ed6d76dccbbb099b2" ++checksum = "c456581cb3c77fafcc8c67204a70680d40b61112d6da78c77bd31d945b65f1b5" + dependencies = [ + "aws-credential-types", + "aws-runtime", +@@ -390,9 +390,9 @@ dependencies = [ + + [[package]] + name = "aws-credential-types" +-version = "1.2.13" ++version = "1.2.11" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "6d203b0bf2626dcba8665f5cd0871d7c2c0930223d6b6be9097592fea21242d0" ++checksum = "3cd362783681b15d136480ad555a099e82ecd8e2d10a841e14dfd0078d67fee3" + dependencies = [ + "aws-smithy-async", + "aws-smithy-runtime-api", +@@ -402,9 +402,9 @@ dependencies = [ + + [[package]] + name = "aws-runtime" +-version = "1.7.1" ++version = "1.6.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "ede2ddc593e6c8acc6ce3358c28d6677a6dc49b65ba4b37a2befe14a11297e75" ++checksum = "c635c2dc792cb4a11ce1a4f392a925340d1bdf499289b5ec1ec6810954eb43f5" + dependencies = [ + "aws-credential-types", + "aws-sigv4", +@@ -415,7 +415,6 @@ dependencies = [ + "aws-smithy-types", + "aws-types", + "bytes", +- "bytes-utils", + "fastrand", + "http 1.4.0", + "http-body 1.0.1", +@@ -427,9 +426,9 @@ dependencies = [ + + [[package]] + name = "aws-sdk-sso" +-version = "1.95.0" ++version = "1.93.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "00c5ff27c6ba2cbd95e6e26e2e736676fdf6bcf96495b187733f521cfe4ce448" ++checksum = "9dcb38bb33fc0a11f1ffc3e3e85669e0a11a37690b86f77e75306d8f369146a0" + dependencies = [ + "aws-credential-types", + "aws-runtime", +@@ -451,9 +450,9 @@ dependencies = [ + + [[package]] + name = "aws-sdk-ssooidc" +-version = "1.97.0" ++version = "1.95.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "4d186f1e5a3694a188e5a0640b3115ccc6e084d104e16fd6ba968dca072ffef8" ++checksum = "2ada8ffbea7bd1be1f53df1dadb0f8fdb04badb13185b3321b929d1ee3caad09" + dependencies = [ + "aws-credential-types", + "aws-runtime", +@@ -475,9 +474,9 @@ dependencies = [ + + [[package]] + name = "aws-sdk-sts" +-version = "1.99.0" ++version = "1.97.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "9acba7c62f3d4e2408fa998a3a8caacd8b9a5b5549cf36e2372fbdae329d5449" ++checksum = "e6443ccadc777095d5ed13e21f5c364878c9f5bad4e35187a6cdbd863b0afcad" + dependencies = [ + "aws-credential-types", + "aws-runtime", +@@ -500,9 +499,9 @@ dependencies = [ + + [[package]] + name = "aws-sigv4" +-version = "1.4.1" ++version = "1.3.8" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "37411f8e0f4bea0c3ca0958ce7f18f6439db24d555dbd809787262cd00926aa9" ++checksum = "efa49f3c607b92daae0c078d48a4571f599f966dce3caee5f1ea55c4d9073f99" + dependencies = [ + "aws-credential-types", + "aws-smithy-http", +@@ -522,9 +521,9 @@ dependencies = [ + + [[package]] + name = "aws-smithy-async" +-version = "1.2.13" ++version = "1.2.11" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "5cc50d0f63e714784b84223abd7abbc8577de8c35d699e0edd19f0a88a08ae13" ++checksum = "52eec3db979d18cb807fc1070961cc51d87d069abe9ab57917769687368a8c6c" + dependencies = [ + "futures-util", + "pin-project-lite", +@@ -533,9 +532,9 @@ dependencies = [ + + [[package]] + name = "aws-smithy-http" +-version = "0.63.5" ++version = "0.63.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "d619373d490ad70966994801bc126846afaa0d1ee920697a031f0cf63f2568e7" ++checksum = "630e67f2a31094ffa51b210ae030855cb8f3b7ee1329bdd8d085aaf61e8b97fc" + dependencies = [ + "aws-smithy-runtime-api", + "aws-smithy-types", +@@ -554,27 +553,27 @@ dependencies = [ + + [[package]] + name = "aws-smithy-json" +-version = "0.62.4" ++version = "0.62.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "27b3a779093e18cad88bbae08dc4261e1d95018c4c5b9356a52bcae7c0b6e9bb" ++checksum = "3cb96aa208d62ee94104645f7b2ecaf77bf27edf161590b6224bfbac2832f979" + dependencies = [ + "aws-smithy-types", + ] + + [[package]] + name = "aws-smithy-observability" +-version = "0.2.5" ++version = "0.2.4" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "4d3f39d5bb871aaf461d59144557f16d5927a5248a983a40654d9cf3b9ba183b" ++checksum = "c0a46543fbc94621080b3cf553eb4cbbdc41dd9780a30c4756400f0139440a1d" + dependencies = [ + "aws-smithy-runtime-api", + ] + + [[package]] + name = "aws-smithy-query" +-version = "0.60.14" ++version = "0.60.13" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "05f76a580e3d8f8961e5d48763214025a2af65c2fa4cd1fb7f270a0e107a71b0" ++checksum = "0cebbddb6f3a5bd81553643e9c7daf3cc3dc5b0b5f398ac668630e8a84e6fff0" + dependencies = [ + "aws-smithy-types", + "urlencoding", +@@ -582,9 +581,9 @@ dependencies = [ + + [[package]] + name = "aws-smithy-runtime" +-version = "1.10.2" ++version = "1.10.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "22ccf7f6eba8b2dcf8ce9b74806c6c185659c311665c4bf8d6e71ebd454db6bf" ++checksum = "f3df87c14f0127a0d77eb261c3bc45d5b4833e2a1f63583ebfb728e4852134ee" + dependencies = [ + "aws-smithy-async", + "aws-smithy-http", +@@ -606,9 +605,9 @@ dependencies = [ + + [[package]] + name = "aws-smithy-runtime-api" +-version = "1.11.5" ++version = "1.11.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "b4af6e5def28be846479bbeac55aa4603d6f7986fc5da4601ba324dd5d377516" ++checksum = "49952c52f7eebb72ce2a754d3866cc0f87b97d2a46146b79f80f3a93fb2b3716" + dependencies = [ + "aws-smithy-async", + "aws-smithy-types", +@@ -623,9 +622,9 @@ dependencies = [ + + [[package]] + name = "aws-smithy-types" +-version = "1.4.5" ++version = "1.4.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "8ca2734c16913a45343b37313605d84e7d8b34a4611598ce1d25b35860a2bed3" ++checksum = "3b3a26048eeab0ddeba4b4f9d51654c79af8c3b32357dc5f336cee85ab331c33" + dependencies = [ + "base64-simd", + "bytes", +@@ -646,18 +645,18 @@ dependencies = [ + + [[package]] + name = "aws-smithy-xml" +-version = "0.60.14" ++version = "0.60.13" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "b53543b4b86ed43f051644f704a98c7291b3618b67adf057ee77a366fa52fcaa" ++checksum = "11b2f670422ff42bf7065031e72b45bc52a3508bd089f743ea90731ca2b6ea57" + dependencies = [ + "xmlparser", + ] + + [[package]] + name = "aws-types" +-version = "1.3.13" ++version = "1.3.11" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "0470cc047657c6e286346bdf10a8719d26efd6a91626992e0e64481e44323e96" ++checksum = "1d980627d2dd7bfc32a3c025685a033eeab8d365cc840c631ef59d1b8f428164" + dependencies = [ + "aws-credential-types", + "aws-smithy-async", +@@ -744,9 +743,9 @@ checksum = "383d29d513d8764dcdc42ea295d979eb99c3c9f006 + + [[package]] + name = "bitflags" +-version = "2.11.0" ++version = "2.10.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" ++checksum = "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3" + + [[package]] + name = "blake2" +@@ -927,9 +926,9 @@ dependencies = [ + + [[package]] + name = "cc" +-version = "1.2.56" ++version = "1.2.55" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2" ++checksum = "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" + dependencies = [ + "find-msvc-tools", + "jobserver", +@@ -950,17 +949,6 @@ source = "registry+https://github.com/rust-lang/crates + checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" + + [[package]] +-name = "chacha20" +-version = "0.10.0" +-source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601" +-dependencies = [ +- "cfg-if", +- "cpufeatures 0.3.0", +- "rand_core 0.10.0", +-] +- +-[[package]] + name = "chrono" + version = "0.4.43" + source = "registry+https://github.com/rust-lang/crates.io-index"; +@@ -1087,9 +1075,9 @@ dependencies = [ + + [[package]] + name = "cookie_store" +-version = "0.22.1" ++version = "0.22.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "15b2c103cf610ec6cae3da84a766285b42fd16aad564758459e6ecf128c75206" ++checksum = "3fc4bff745c9b4c7fb1e97b25d13153da2bc7796260141df62378998d070207f" + dependencies = [ + "cookie", + "document-features", +@@ -1139,15 +1127,6 @@ dependencies = [ + ] + + [[package]] +-name = "cpufeatures" +-version = "0.3.0" +-source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201" +-dependencies = [ +- "libc", +-] +- +-[[package]] + name = "crc32c" + version = "0.6.8" + source = "registry+https://github.com/rust-lang/crates.io-index"; +@@ -1241,7 +1220,7 @@ source = "registry+https://github.com/rust-lang/crates + checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be" + dependencies = [ + "cfg-if", +- "cpufeatures 0.2.17", ++ "cpufeatures", + "curve25519-dalek-derive", + "digest", + "fiat-crypto", +@@ -1397,9 +1376,9 @@ dependencies = [ + + [[package]] + name = "deranged" +-version = "0.5.6" ++version = "0.5.5" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "cc3dc5ad92c2e2d1c193bbbbdf2ea477cb81331de4f3103f267ca18368b988c4" ++checksum = "ececcb659e7ba858fb4f10388c250a7252eb0a27373f1a72b8748afdd248e587" + dependencies = [ + "powerfmt", + "serde_core", +@@ -1906,9 +1885,9 @@ dependencies = [ + + [[package]] + name = "futures" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d" ++checksum = "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876" + dependencies = [ + "futures-channel", + "futures-core", +@@ -1921,9 +1900,9 @@ dependencies = [ + + [[package]] + name = "futures-channel" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" ++checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" + dependencies = [ + "futures-core", + "futures-sink", +@@ -1931,15 +1910,15 @@ dependencies = [ + + [[package]] + name = "futures-core" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" ++checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" + + [[package]] + name = "futures-executor" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d" ++checksum = "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f" + dependencies = [ + "futures-core", + "futures-task", +@@ -1948,9 +1927,9 @@ dependencies = [ + + [[package]] + name = "futures-io" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" ++checksum = "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6" + + [[package]] + name = "futures-lite" +@@ -1967,9 +1946,9 @@ dependencies = [ + + [[package]] + name = "futures-macro" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b" ++checksum = "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" + dependencies = [ + "proc-macro2", + "quote", +@@ -1978,15 +1957,15 @@ dependencies = [ + + [[package]] + name = "futures-sink" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893" ++checksum = "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" + + [[package]] + name = "futures-task" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393" ++checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" + + [[package]] + name = "futures-timer" +@@ -1996,9 +1975,9 @@ checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e + + [[package]] + name = "futures-util" +-version = "0.3.32" ++version = "0.3.31" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" ++checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" + dependencies = [ + "futures-channel", + "futures-core", +@@ -2008,6 +1987,7 @@ dependencies = [ + "futures-task", + "memchr", + "pin-project-lite", ++ "pin-utils", + "slab", + ] + +@@ -2071,7 +2051,6 @@ dependencies = [ + "cfg-if", + "libc", + "r-efi", +- "rand_core 0.10.0", + "wasip2", + "wasip3", + ] +@@ -2468,6 +2447,22 @@ dependencies = [ + ] + + [[package]] ++name = "hyper-tls" ++version = "0.6.0" ++source = "registry+https://github.com/rust-lang/crates.io-index"; ++checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" ++dependencies = [ ++ "bytes", ++ "http-body-util", ++ "hyper 1.8.1", ++ "hyper-util", ++ "native-tls", ++ "tokio", ++ "tokio-native-tls", ++ "tower-service", ++] ++ ++[[package]] + name = "hyper-util" + version = "0.1.20" + source = "registry+https://github.com/rust-lang/crates.io-index"; +@@ -2731,9 +2726,9 @@ checksum = "47f142fe24a9c9944451e8349de0a56af5f3e7226d + + [[package]] + name = "jiff" +-version = "0.2.20" ++version = "0.2.19" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "c867c356cc096b33f4981825ab281ecba3db0acefe60329f044c1789d94c6543" ++checksum = "d89a5b5e10d5a9ad6e5d1f4bd58225f655d6fe9767575a5e8ac5a6fe64e04495" + dependencies = [ + "jiff-static", + "jiff-tzdb-platform", +@@ -2746,9 +2741,9 @@ dependencies = [ + + [[package]] + name = "jiff-static" +-version = "0.2.20" ++version = "0.2.19" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "f7946b4325269738f270bb55b3c19ab5c5040525f83fd625259422a9d25d9be5" ++checksum = "ff7a39c8862fc1369215ccf0a8f12dd4598c7f6484704359f0351bd617034dbf" + dependencies = [ + "proc-macro2", + "quote", +@@ -2906,9 +2901,9 @@ dependencies = [ + + [[package]] + name = "libc" +-version = "0.2.182" ++version = "0.2.181" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" ++checksum = "459427e2af2b9c839b132acb702a1c654d95e10f8c326bfc2ad11310e458b1c5" + + [[package]] + name = "libm" +@@ -3034,7 +3029,7 @@ source = "registry+https://github.com/rust-lang/crates + checksum = "36c791ecdf977c99f45f23280405d7723727470f6689a5e6dbf513ac547ae10d" + dependencies = [ + "serde", +- "toml 0.9.12+spec-1.1.0", ++ "toml 0.9.11+spec-1.1.0", + ] + + [[package]] +@@ -3153,6 +3148,23 @@ dependencies = [ + ] + + [[package]] ++name = "native-tls" ++version = "0.2.14" ++source = "registry+https://github.com/rust-lang/crates.io-index"; ++checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e" ++dependencies = [ ++ "libc", ++ "log", ++ "openssl", ++ "openssl-probe 0.1.6", ++ "openssl-sys", ++ "schannel", ++ "security-framework 2.11.1", ++ "security-framework-sys", ++ "tempfile", ++] ++ ++[[package]] + name = "nom" + version = "7.1.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; +@@ -3429,6 +3441,12 @@ dependencies = [ + + [[package]] + name = "openssl-probe" ++version = "0.1.6" ++source = "registry+https://github.com/rust-lang/crates.io-index"; ++checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" ++ ++[[package]] ++name = "openssl-probe" + version = "0.2.1" + source = "registry+https://github.com/rust-lang/crates.io-index"; + checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" +@@ -4082,17 +4100,6 @@ dependencies = [ + ] + + [[package]] +-name = "rand" +-version = "0.10.0" +-source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8" +-dependencies = [ +- "chacha20", +- "getrandom 0.4.1", +- "rand_core 0.10.0", +-] +- +-[[package]] + name = "rand_chacha" + version = "0.3.1" + source = "registry+https://github.com/rust-lang/crates.io-index"; +@@ -4131,12 +4138,6 @@ dependencies = [ + ] + + [[package]] +-name = "rand_core" +-version = "0.10.0" +-source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba" +- +-[[package]] + name = "raw-cpuid" + version = "11.6.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +@@ -4273,10 +4274,12 @@ dependencies = [ + "http-body-util", + "hyper 1.8.1", + "hyper-rustls", ++ "hyper-tls", + "hyper-util", + "js-sys", + "log", + "mime", ++ "native-tls", + "percent-encoding", + "pin-project-lite", + "quinn", +@@ -4288,6 +4291,7 @@ dependencies = [ + "serde_urlencoded", + "sync_wrapper", + "tokio", ++ "tokio-native-tls", + "tokio-rustls 0.26.4", + "tokio-util", + "tower", +@@ -4576,10 +4580,10 @@ version = "0.8.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; + checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63" + dependencies = [ +- "openssl-probe", ++ "openssl-probe 0.2.1", + "rustls-pki-types", + "schannel", +- "security-framework", ++ "security-framework 3.5.1", + ] + + [[package]] +@@ -4743,11 +4747,24 @@ dependencies = [ + + [[package]] + name = "security-framework" +-version = "3.6.0" ++version = "2.11.1" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38" ++checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" + dependencies = [ + "bitflags", ++ "core-foundation 0.9.4", ++ "core-foundation-sys", ++ "libc", ++ "security-framework-sys", ++] ++ ++[[package]] ++name = "security-framework" ++version = "3.5.1" ++source = "registry+https://github.com/rust-lang/crates.io-index"; ++checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef" ++dependencies = [ ++ "bitflags", + "core-foundation 0.10.1", + "core-foundation-sys", + "libc", +@@ -4756,9 +4773,9 @@ dependencies = [ + + [[package]] + name = "security-framework-sys" +-version = "2.16.0" ++version = "2.15.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a" ++checksum = "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0" + dependencies = [ + "core-foundation-sys", + "libc", +@@ -4925,7 +4942,7 @@ source = "registry+https://github.com/rust-lang/crates + checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" + dependencies = [ + "cfg-if", +- "cpufeatures 0.2.17", ++ "cpufeatures", + "digest", + ] + +@@ -4936,7 +4953,7 @@ source = "registry+https://github.com/rust-lang/crates + checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" + dependencies = [ + "cfg-if", +- "cpufeatures 0.2.17", ++ "cpufeatures", + "digest", + ] + +@@ -4993,9 +5010,9 @@ checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8 + + [[package]] + name = "simple_asn1" +-version = "0.6.4" ++version = "0.6.3" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d" ++checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb" + dependencies = [ + "num-bigint", + "num-traits", +@@ -5144,22 +5161,23 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c + + [[package]] + name = "svg-hush" +-version = "0.9.6" ++version = "0.9.5" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "929223e80cdcec0482207576ea09692dd71b2b559057fc172e292ecec9a97559" ++checksum = "8d647e9386e34dd750ba80bdb7dae2a2c50b78338515ffeb9fa7bdd3ef803bf2" + dependencies = [ + "base64 0.22.1", + "data-url", ++ "once_cell", + "quick-error", + "url", +- "xml", ++ "xml-rs", + ] + + [[package]] + name = "syn" +-version = "2.0.116" ++version = "2.0.114" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb" ++checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" + dependencies = [ + "proc-macro2", + "quote", +@@ -5392,6 +5410,16 @@ dependencies = [ + ] + + [[package]] ++name = "tokio-native-tls" ++version = "0.3.1" ++source = "registry+https://github.com/rust-lang/crates.io-index"; ++checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" ++dependencies = [ ++ "native-tls", ++ "tokio", ++] ++ ++[[package]] + name = "tokio-rustls" + version = "0.24.1" + source = "registry+https://github.com/rust-lang/crates.io-index"; +@@ -5462,9 +5490,9 @@ dependencies = [ + + [[package]] + name = "toml" +-version = "0.9.12+spec-1.1.0" ++version = "0.9.11+spec-1.1.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863" ++checksum = "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46" + dependencies = [ + "serde_core", + "serde_spanned 1.0.4", +@@ -5507,9 +5535,9 @@ dependencies = [ + + [[package]] + name = "toml_parser" +-version = "1.0.9+spec-1.1.0" ++version = "1.0.6+spec-1.1.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4" ++checksum = "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44" + dependencies = [ + "winnow 0.7.14", + ] +@@ -5714,9 +5742,9 @@ checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c7 + + [[package]] + name = "unicode-ident" +-version = "1.0.24" ++version = "1.0.23" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" ++checksum = "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e" + + [[package]] + name = "unicode-segmentation" +@@ -5769,11 +5797,11 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27 + + [[package]] + name = "uuid" +-version = "1.21.0" ++version = "1.20.0" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb" ++checksum = "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f" + dependencies = [ +- "getrandom 0.4.1", ++ "getrandom 0.3.4", + "js-sys", + "serde_core", + "wasm-bindgen", +@@ -5840,7 +5868,7 @@ dependencies = [ + "pastey 0.2.1", + "percent-encoding", + "pico-args", +- "rand 0.10.0", ++ "rand 0.9.2", + "regex", + "reqsign", + "reqwest", +@@ -6637,10 +6665,10 @@ dependencies = [ + ] + + [[package]] +-name = "xml" +-version = "1.2.1" ++name = "xml-rs" ++version = "0.8.28" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "b8aa498d22c9bbaf482329839bc5620c46be275a19a812e9a22a2b07529a642a" ++checksum = "3ae8337f8a065cfc972643663ea4279e04e7256de865aa66fe25cec5fb912d3f" + + [[package]] + name = "xmlparser" +@@ -6778,9 +6806,9 @@ dependencies = [ + + [[package]] + name = "zmij" +-version = "1.0.21" ++version = "1.0.20" + source = "registry+https://github.com/rust-lang/crates.io-index"; +-checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa" ++checksum = "4de98dfa5d5b7fef4ee834d0073d560c9ca7b6c46a71d058c48db7960f8cfaf7" + + [[package]] + name = "zstd" Index: patches/patch-Cargo_toml =================================================================== RCS file: /cvs/ports/security/vaultwarden/patches/Attic/patch-Cargo_toml,v diff -u -p -r1.6.2.1 patch-Cargo_toml --- patches/patch-Cargo_toml 11 Feb 2026 07:49:57 -0000 1.6.2.1 +++ patches/patch-Cargo_toml 24 Feb 2026 20:16:39 -0000 @@ -9,3 +9,66 @@ Index: Cargo.toml license = "AGPL-3.0-only" repository = "https://github.com/dani-garcia/vaultwarden"; publish = false +@@ -78,7 +78,7 @@ rmpv = "1.3.1" # MessagePack library + dashmap = "6.1.0" + + # Async futures +-futures = "0.3.32" ++futures = "0.3.31" + tokio = { version = "1.49.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] } + tokio-util = { version = "0.7.18", features = ["compat"]} + +@@ -98,12 +98,12 @@ diesel-derive-newtype = "2.1.2" + libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true } + + # Crypto-related libraries +-rand = "0.10.0" ++rand = "0.9.2" + ring = "0.17.14" + subtle = "2.6.1" + + # UUID generation +-uuid = { version = "1.21.0", features = ["v4"] } ++uuid = { version = "1.20.0", features = ["v4"] } + + # Date and time libraries + chrono = { version = "0.4.43", features = ["clock", "serde"], default-features = false } +@@ -152,14 +152,14 @@ html5gum = "0.8.3" + regex = { version = "1.12.3", features = ["std", "perf", "unicode-perl"], default-features = false } + data-url = "0.3.2" + bytes = "1.11.1" +-svg-hush = "0.9.6" ++svg-hush = "0.9.5" + + # Cache function results (Used for version check and favicon fetching) + cached = { version = "0.56.0", features = ["async"] } + + # Used for custom short lived cookie jar during favicon extraction + cookie = "0.18.1" +-cookie_store = "0.22.1" ++cookie_store = "0.22.0" + + # Used by U2F, JWT and PostgreSQL + openssl = "0.10.75" +@@ -172,7 +172,7 @@ pastey = "0.2.1" + governor = "0.10.4" + + # OIDC for SSO +-openidconnect = { version = "4.0.1", features = ["reqwest", "rustls-tls"] } ++openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] } + mini-moka = "0.10.3" + + # Check client versions for specific features. +@@ -198,9 +198,9 @@ opendal = { version = "0.55.0", features = ["services- + + # For retrieving AWS credentials, including temporary SSO credentials + anyhow = { version = "1.0.101", optional = true } +-aws-config = { version = "1.8.14", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true } +-aws-credential-types = { version = "1.2.13", optional = true } +-aws-smithy-runtime-api = { version = "1.11.5", optional = true } ++aws-config = { version = "1.8.13", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true } ++aws-credential-types = { version = "1.2.11", optional = true } ++aws-smithy-runtime-api = { version = "1.11.3", optional = true } + http = { version = "1.4.0", optional = true } + reqsign = { version = "0.16.5", optional = true } + Index: patches/patch-src_api_core_accounts_rs =================================================================== RCS file: patches/patch-src_api_core_accounts_rs diff -N patches/patch-src_api_core_accounts_rs --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_api_core_accounts_rs 24 Feb 2026 20:16:39 -0000 @@ -0,0 +1,17 @@ +Index: src/api/core/accounts.rs +--- src/api/core/accounts.rs.orig ++++ src/api/core/accounts.rs +@@ -1193,9 +1193,10 @@ async fn password_hint(data: Json<PasswordHintData>, c + // There is still a timing side channel here in that the code + // paths that send mail take noticeably longer than ones that + // don't. Add a randomized sleep to mitigate this somewhat. +- use rand::{rngs::SmallRng, RngExt}; +- let mut rng: SmallRng = rand::make_rng(); +- let sleep_ms = rng.random_range(900..=1100) as u64; ++ use rand::{rngs::SmallRng, Rng, SeedableRng}; ++ let mut rng = SmallRng::from_os_rng(); ++ let delta: i32 = 100; ++ let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64; + tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await; + Ok(()) + } else { Index: patches/patch-src_api_identity_rs =================================================================== RCS file: patches/patch-src_api_identity_rs diff -N patches/patch-src_api_identity_rs --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_api_identity_rs 24 Feb 2026 20:16:39 -0000 @@ -0,0 +1,17 @@ +Index: src/api/identity.rs +--- src/api/identity.rs.orig ++++ src/api/identity.rs +@@ -977,9 +977,10 @@ async fn register_verification_email( + // There is still a timing side channel here in that the code + // paths that send mail take noticeably longer than ones that don't. + // Add a randomized sleep to mitigate this somewhat. +- use rand::{rngs::SmallRng, RngExt}; +- let mut rng: SmallRng = rand::make_rng(); +- let sleep_ms = rng.random_range(900..=1100) as u64; ++ use rand::{rngs::SmallRng, Rng, SeedableRng}; ++ let mut rng = SmallRng::from_os_rng(); ++ let delta: i32 = 100; ++ let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as u64; + tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await; + } else { + mail::send_register_verify_email(&data.email, &token).await?; Index: patches/patch-src_crypto_rs =================================================================== RCS file: patches/patch-src_crypto_rs diff -N patches/patch-src_crypto_rs --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_crypto_rs 24 Feb 2026 20:16:39 -0000 @@ -0,0 +1,19 @@ +Index: src/crypto.rs +--- src/crypto.rs.orig ++++ src/crypto.rs +@@ -55,13 +55,13 @@ pub fn encode_random_bytes<const N: usize>(e: &Encodin + /// Generates a random string over a specified alphabet. + pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String { + // Ref: https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html +- use rand::RngExt; ++ use rand::Rng; + let mut rng = rand::rng(); + + (0..num_chars) + .map(|_| { + let i = rng.random_range(0..alphabet.len()); +- char::from(alphabet[i]) ++ alphabet[i] as char + }) + .collect() + }
