On Tue, 24 Feb 2026 21:34:57 +0100, Bjorn Ketelaars <[email protected]> wrote: > > vaultwarden-1.35.4 contains security fixes for the following advisories. > > - GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to > access a cipher from a different user (fully encrypted) if they > already know its internal UUID. > - GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with > manager-level access within an organization to modify collections they > can access, even if they do not have management permissions for them. > - GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with > manager-level access within an organization to modify collections they > are not assigned. > > Overview on all changes can be found at > https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4. > > Getting this update to build on -stable is tricky as it needs a newer > version of rust. I 'fixed' this by partly reverting a recent commit [0]. > > I did some light testing using the diff below. Additional tests would be > helpful. > > [0] https://github.com/dani-garcia/vaultwarden/pull/6843 >
Compiles on -stable and I had briefly tested agains iOS app. I not sure how to backport it cleaner, so OK kirill@ > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/vaultwarden/Makefile,v > diff -u -p -r1.49.2.2 Makefile > --- Makefile 11 Feb 2026 07:49:57 -0000 1.49.2.2 > +++ Makefile 24 Feb 2026 20:16:39 -0000 > @@ -8,7 +8,7 @@ BROKEN-i386 = raw-cpuid-10.2.0/src/lib. > > COMMENT = unofficial bitwarden compatible server > > -DIST_TUPLE = github dani-garcia vaultwarden 1.35.3 . > +DIST_TUPLE = github dani-garcia vaultwarden 1.35.4 . > > CATEGORIES = security > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/vaultwarden/distinfo,v > diff -u -p -r1.29.2.2 distinfo > --- distinfo 11 Feb 2026 07:49:57 -0000 1.29.2.2 > +++ distinfo 24 Feb 2026 20:16:39 -0000 > @@ -636,7 +636,7 @@ SHA256 (cargo/zmij-1.0.20.tar.gz) = TemN > SHA256 (cargo/zstd-0.13.3.tar.gz) = > 6R7jEaVpwycXFlFWbgeXIgDnb8/iJCpPpEYUmjiBwIo= > SHA256 (cargo/zstd-safe-7.2.4.tar.gz) = > j0nE1fCrtgKpP7hzavKk9N2VEuNvf1cNZuZf+GftO50= > SHA256 (cargo/zstd-sys-2.0.16+zstd.1.5.7.tar.gz) = > keGevCrcj4PkMDnnl3bj/ajKkZEy1oof7WpfrKJoN0g= > -SHA256 (dani-garcia-vaultwarden-1.35.3.tar.gz) = > cgXBv48Fp9uJx3wyE84fjjXgbEU/ppAPhJVCNGzKsmE= > +SHA256 (dani-garcia-vaultwarden-1.35.4.tar.gz) = > 8oaJ6mTOnPoWabRJWPIpp0q8n7BkKF2LN+BksoiI5rc= > SIZE (cargo/adler2-2.0.1.tar.gz) = 13366 > SIZE (cargo/aes-0.8.4.tar.gz) = 124812 > SIZE (cargo/ahash-0.8.12.tar.gz) = 43413 > @@ -1275,4 +1275,4 @@ SIZE (cargo/zmij-1.0.20.tar.gz) = 26975 > SIZE (cargo/zstd-0.13.3.tar.gz) = 30514 > SIZE (cargo/zstd-safe-7.2.4.tar.gz) = 29350 > SIZE (cargo/zstd-sys-2.0.16+zstd.1.5.7.tar.gz) = 775620 > -SIZE (dani-garcia-vaultwarden-1.35.3.tar.gz) = 720993 > +SIZE (dani-garcia-vaultwarden-1.35.4.tar.gz) = 718913 > Index: patches/patch-Cargo_lock > =================================================================== > RCS file: patches/patch-Cargo_lock > diff -N patches/patch-Cargo_lock > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-Cargo_lock 24 Feb 2026 20:16:39 -0000 > @@ -0,0 +1,820 @@ > +Index: Cargo.lock > +--- Cargo.lock.orig > ++++ Cargo.lock > +@@ -16,7 +16,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546 > + dependencies = [ > + "cfg-if", > + "cipher", > +- "cpufeatures 0.2.17", > ++ "cpufeatures", > + ] > + > + [[package]] > +@@ -93,7 +93,7 @@ checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbf > + dependencies = [ > + "base64ct", > + "blake2", > +- "cpufeatures 0.2.17", > ++ "cpufeatures", > + "password-hash", > + ] > + > +@@ -173,9 +173,9 @@ dependencies = [ > + > + [[package]] > + name = "async-executor" > +-version = "1.14.0" > ++version = "1.13.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "c96bf972d85afc50bf5ab8fe2d54d1586b4e0b46c97c50a0c9e71e2f7bcd812a" > ++checksum = > "497c00e0fd83a72a79a39fcbd8e3e2f055d6f6c7e025f3b3d91f4f8e76527fb8" > + dependencies = [ > + "async-task", > + "concurrent-queue", > +@@ -360,9 +360,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe95 > + > + [[package]] > + name = "aws-config" > +-version = "1.8.14" > ++version = "1.8.13" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "8a8fc176d53d6fe85017f230405e3255cedb4a02221cb55ed6d76dccbbb099b2" > ++checksum = > "c456581cb3c77fafcc8c67204a70680d40b61112d6da78c77bd31d945b65f1b5" > + dependencies = [ > + "aws-credential-types", > + "aws-runtime", > +@@ -390,9 +390,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-credential-types" > +-version = "1.2.13" > ++version = "1.2.11" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "6d203b0bf2626dcba8665f5cd0871d7c2c0930223d6b6be9097592fea21242d0" > ++checksum = > "3cd362783681b15d136480ad555a099e82ecd8e2d10a841e14dfd0078d67fee3" > + dependencies = [ > + "aws-smithy-async", > + "aws-smithy-runtime-api", > +@@ -402,9 +402,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-runtime" > +-version = "1.7.1" > ++version = "1.6.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "ede2ddc593e6c8acc6ce3358c28d6677a6dc49b65ba4b37a2befe14a11297e75" > ++checksum = > "c635c2dc792cb4a11ce1a4f392a925340d1bdf499289b5ec1ec6810954eb43f5" > + dependencies = [ > + "aws-credential-types", > + "aws-sigv4", > +@@ -415,7 +415,6 @@ dependencies = [ > + "aws-smithy-types", > + "aws-types", > + "bytes", > +- "bytes-utils", > + "fastrand", > + "http 1.4.0", > + "http-body 1.0.1", > +@@ -427,9 +426,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-sdk-sso" > +-version = "1.95.0" > ++version = "1.93.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "00c5ff27c6ba2cbd95e6e26e2e736676fdf6bcf96495b187733f521cfe4ce448" > ++checksum = > "9dcb38bb33fc0a11f1ffc3e3e85669e0a11a37690b86f77e75306d8f369146a0" > + dependencies = [ > + "aws-credential-types", > + "aws-runtime", > +@@ -451,9 +450,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-sdk-ssooidc" > +-version = "1.97.0" > ++version = "1.95.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "4d186f1e5a3694a188e5a0640b3115ccc6e084d104e16fd6ba968dca072ffef8" > ++checksum = > "2ada8ffbea7bd1be1f53df1dadb0f8fdb04badb13185b3321b929d1ee3caad09" > + dependencies = [ > + "aws-credential-types", > + "aws-runtime", > +@@ -475,9 +474,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-sdk-sts" > +-version = "1.99.0" > ++version = "1.97.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "9acba7c62f3d4e2408fa998a3a8caacd8b9a5b5549cf36e2372fbdae329d5449" > ++checksum = > "e6443ccadc777095d5ed13e21f5c364878c9f5bad4e35187a6cdbd863b0afcad" > + dependencies = [ > + "aws-credential-types", > + "aws-runtime", > +@@ -500,9 +499,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-sigv4" > +-version = "1.4.1" > ++version = "1.3.8" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "37411f8e0f4bea0c3ca0958ce7f18f6439db24d555dbd809787262cd00926aa9" > ++checksum = > "efa49f3c607b92daae0c078d48a4571f599f966dce3caee5f1ea55c4d9073f99" > + dependencies = [ > + "aws-credential-types", > + "aws-smithy-http", > +@@ -522,9 +521,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-smithy-async" > +-version = "1.2.13" > ++version = "1.2.11" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "5cc50d0f63e714784b84223abd7abbc8577de8c35d699e0edd19f0a88a08ae13" > ++checksum = > "52eec3db979d18cb807fc1070961cc51d87d069abe9ab57917769687368a8c6c" > + dependencies = [ > + "futures-util", > + "pin-project-lite", > +@@ -533,9 +532,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-smithy-http" > +-version = "0.63.5" > ++version = "0.63.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "d619373d490ad70966994801bc126846afaa0d1ee920697a031f0cf63f2568e7" > ++checksum = > "630e67f2a31094ffa51b210ae030855cb8f3b7ee1329bdd8d085aaf61e8b97fc" > + dependencies = [ > + "aws-smithy-runtime-api", > + "aws-smithy-types", > +@@ -554,27 +553,27 @@ dependencies = [ > + > + [[package]] > + name = "aws-smithy-json" > +-version = "0.62.4" > ++version = "0.62.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "27b3a779093e18cad88bbae08dc4261e1d95018c4c5b9356a52bcae7c0b6e9bb" > ++checksum = > "3cb96aa208d62ee94104645f7b2ecaf77bf27edf161590b6224bfbac2832f979" > + dependencies = [ > + "aws-smithy-types", > + ] > + > + [[package]] > + name = "aws-smithy-observability" > +-version = "0.2.5" > ++version = "0.2.4" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "4d3f39d5bb871aaf461d59144557f16d5927a5248a983a40654d9cf3b9ba183b" > ++checksum = > "c0a46543fbc94621080b3cf553eb4cbbdc41dd9780a30c4756400f0139440a1d" > + dependencies = [ > + "aws-smithy-runtime-api", > + ] > + > + [[package]] > + name = "aws-smithy-query" > +-version = "0.60.14" > ++version = "0.60.13" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "05f76a580e3d8f8961e5d48763214025a2af65c2fa4cd1fb7f270a0e107a71b0" > ++checksum = > "0cebbddb6f3a5bd81553643e9c7daf3cc3dc5b0b5f398ac668630e8a84e6fff0" > + dependencies = [ > + "aws-smithy-types", > + "urlencoding", > +@@ -582,9 +581,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-smithy-runtime" > +-version = "1.10.2" > ++version = "1.10.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "22ccf7f6eba8b2dcf8ce9b74806c6c185659c311665c4bf8d6e71ebd454db6bf" > ++checksum = > "f3df87c14f0127a0d77eb261c3bc45d5b4833e2a1f63583ebfb728e4852134ee" > + dependencies = [ > + "aws-smithy-async", > + "aws-smithy-http", > +@@ -606,9 +605,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-smithy-runtime-api" > +-version = "1.11.5" > ++version = "1.11.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "b4af6e5def28be846479bbeac55aa4603d6f7986fc5da4601ba324dd5d377516" > ++checksum = > "49952c52f7eebb72ce2a754d3866cc0f87b97d2a46146b79f80f3a93fb2b3716" > + dependencies = [ > + "aws-smithy-async", > + "aws-smithy-types", > +@@ -623,9 +622,9 @@ dependencies = [ > + > + [[package]] > + name = "aws-smithy-types" > +-version = "1.4.5" > ++version = "1.4.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "8ca2734c16913a45343b37313605d84e7d8b34a4611598ce1d25b35860a2bed3" > ++checksum = > "3b3a26048eeab0ddeba4b4f9d51654c79af8c3b32357dc5f336cee85ab331c33" > + dependencies = [ > + "base64-simd", > + "bytes", > +@@ -646,18 +645,18 @@ dependencies = [ > + > + [[package]] > + name = "aws-smithy-xml" > +-version = "0.60.14" > ++version = "0.60.13" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "b53543b4b86ed43f051644f704a98c7291b3618b67adf057ee77a366fa52fcaa" > ++checksum = > "11b2f670422ff42bf7065031e72b45bc52a3508bd089f743ea90731ca2b6ea57" > + dependencies = [ > + "xmlparser", > + ] > + > + [[package]] > + name = "aws-types" > +-version = "1.3.13" > ++version = "1.3.11" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "0470cc047657c6e286346bdf10a8719d26efd6a91626992e0e64481e44323e96" > ++checksum = > "1d980627d2dd7bfc32a3c025685a033eeab8d365cc840c631ef59d1b8f428164" > + dependencies = [ > + "aws-credential-types", > + "aws-smithy-async", > +@@ -744,9 +743,9 @@ checksum = "383d29d513d8764dcdc42ea295d979eb99c3c9f006 > + > + [[package]] > + name = "bitflags" > +-version = "2.11.0" > ++version = "2.10.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" > ++checksum = > "812e12b5285cc515a9c72a5c1d3b6d46a19dac5acfef5265968c166106e31dd3" > + > + [[package]] > + name = "blake2" > +@@ -927,9 +926,9 @@ dependencies = [ > + > + [[package]] > + name = "cc" > +-version = "1.2.56" > ++version = "1.2.55" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "aebf35691d1bfb0ac386a69bac2fde4dd276fb618cf8bf4f5318fe285e821bb2" > ++checksum = > "47b26a0954ae34af09b50f0de26458fa95369a0d478d8236d3f93082b219bd29" > + dependencies = [ > + "find-msvc-tools", > + "jobserver", > +@@ -950,17 +949,6 @@ source = "registry+https://github.com/rust-lang/crates > + checksum = > "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" > + > + [[package]] > +-name = "chacha20" > +-version = "0.10.0" > +-source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601" > +-dependencies = [ > +- "cfg-if", > +- "cpufeatures 0.3.0", > +- "rand_core 0.10.0", > +-] > +- > +-[[package]] > + name = "chrono" > + version = "0.4.43" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +@@ -1087,9 +1075,9 @@ dependencies = [ > + > + [[package]] > + name = "cookie_store" > +-version = "0.22.1" > ++version = "0.22.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "15b2c103cf610ec6cae3da84a766285b42fd16aad564758459e6ecf128c75206" > ++checksum = > "3fc4bff745c9b4c7fb1e97b25d13153da2bc7796260141df62378998d070207f" > + dependencies = [ > + "cookie", > + "document-features", > +@@ -1139,15 +1127,6 @@ dependencies = [ > + ] > + > + [[package]] > +-name = "cpufeatures" > +-version = "0.3.0" > +-source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201" > +-dependencies = [ > +- "libc", > +-] > +- > +-[[package]] > + name = "crc32c" > + version = "0.6.8" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +@@ -1241,7 +1220,7 @@ source = "registry+https://github.com/rust-lang/crates > + checksum = > "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be" > + dependencies = [ > + "cfg-if", > +- "cpufeatures 0.2.17", > ++ "cpufeatures", > + "curve25519-dalek-derive", > + "digest", > + "fiat-crypto", > +@@ -1397,9 +1376,9 @@ dependencies = [ > + > + [[package]] > + name = "deranged" > +-version = "0.5.6" > ++version = "0.5.5" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "cc3dc5ad92c2e2d1c193bbbbdf2ea477cb81331de4f3103f267ca18368b988c4" > ++checksum = > "ececcb659e7ba858fb4f10388c250a7252eb0a27373f1a72b8748afdd248e587" > + dependencies = [ > + "powerfmt", > + "serde_core", > +@@ -1906,9 +1885,9 @@ dependencies = [ > + > + [[package]] > + name = "futures" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d" > ++checksum = > "65bc07b1a8bc7c85c5f2e110c476c7389b4554ba72af57d8445ea63a576b0876" > + dependencies = [ > + "futures-channel", > + "futures-core", > +@@ -1921,9 +1900,9 @@ dependencies = [ > + > + [[package]] > + name = "futures-channel" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" > ++checksum = > "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" > + dependencies = [ > + "futures-core", > + "futures-sink", > +@@ -1931,15 +1910,15 @@ dependencies = [ > + > + [[package]] > + name = "futures-core" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" > ++checksum = > "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" > + > + [[package]] > + name = "futures-executor" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d" > ++checksum = > "1e28d1d997f585e54aebc3f97d39e72338912123a67330d723fdbb564d646c9f" > + dependencies = [ > + "futures-core", > + "futures-task", > +@@ -1948,9 +1927,9 @@ dependencies = [ > + > + [[package]] > + name = "futures-io" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" > ++checksum = > "9e5c1b78ca4aae1ac06c48a526a655760685149f0d465d21f37abfe57ce075c6" > + > + [[package]] > + name = "futures-lite" > +@@ -1967,9 +1946,9 @@ dependencies = [ > + > + [[package]] > + name = "futures-macro" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b" > ++checksum = > "162ee34ebcb7c64a8abebc059ce0fee27c2262618d7b60ed8faf72fef13c3650" > + dependencies = [ > + "proc-macro2", > + "quote", > +@@ -1978,15 +1957,15 @@ dependencies = [ > + > + [[package]] > + name = "futures-sink" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893" > ++checksum = > "e575fab7d1e0dcb8d0c7bcf9a63ee213816ab51902e6d244a95819acacf1d4f7" > + > + [[package]] > + name = "futures-task" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393" > ++checksum = > "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" > + > + [[package]] > + name = "futures-timer" > +@@ -1996,9 +1975,9 @@ checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e > + > + [[package]] > + name = "futures-util" > +-version = "0.3.32" > ++version = "0.3.31" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" > ++checksum = > "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" > + dependencies = [ > + "futures-channel", > + "futures-core", > +@@ -2008,6 +1987,7 @@ dependencies = [ > + "futures-task", > + "memchr", > + "pin-project-lite", > ++ "pin-utils", > + "slab", > + ] > + > +@@ -2071,7 +2051,6 @@ dependencies = [ > + "cfg-if", > + "libc", > + "r-efi", > +- "rand_core 0.10.0", > + "wasip2", > + "wasip3", > + ] > +@@ -2468,6 +2447,22 @@ dependencies = [ > + ] > + > + [[package]] > ++name = "hyper-tls" > ++version = "0.6.0" > ++source = "registry+https://github.com/rust-lang/crates.io-index"; > ++checksum = > "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0" > ++dependencies = [ > ++ "bytes", > ++ "http-body-util", > ++ "hyper 1.8.1", > ++ "hyper-util", > ++ "native-tls", > ++ "tokio", > ++ "tokio-native-tls", > ++ "tower-service", > ++] > ++ > ++[[package]] > + name = "hyper-util" > + version = "0.1.20" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +@@ -2731,9 +2726,9 @@ checksum = "47f142fe24a9c9944451e8349de0a56af5f3e7226d > + > + [[package]] > + name = "jiff" > +-version = "0.2.20" > ++version = "0.2.19" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "c867c356cc096b33f4981825ab281ecba3db0acefe60329f044c1789d94c6543" > ++checksum = > "d89a5b5e10d5a9ad6e5d1f4bd58225f655d6fe9767575a5e8ac5a6fe64e04495" > + dependencies = [ > + "jiff-static", > + "jiff-tzdb-platform", > +@@ -2746,9 +2741,9 @@ dependencies = [ > + > + [[package]] > + name = "jiff-static" > +-version = "0.2.20" > ++version = "0.2.19" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "f7946b4325269738f270bb55b3c19ab5c5040525f83fd625259422a9d25d9be5" > ++checksum = > "ff7a39c8862fc1369215ccf0a8f12dd4598c7f6484704359f0351bd617034dbf" > + dependencies = [ > + "proc-macro2", > + "quote", > +@@ -2906,9 +2901,9 @@ dependencies = [ > + > + [[package]] > + name = "libc" > +-version = "0.2.182" > ++version = "0.2.181" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" > ++checksum = > "459427e2af2b9c839b132acb702a1c654d95e10f8c326bfc2ad11310e458b1c5" > + > + [[package]] > + name = "libm" > +@@ -3034,7 +3029,7 @@ source = "registry+https://github.com/rust-lang/crates > + checksum = > "36c791ecdf977c99f45f23280405d7723727470f6689a5e6dbf513ac547ae10d" > + dependencies = [ > + "serde", > +- "toml 0.9.12+spec-1.1.0", > ++ "toml 0.9.11+spec-1.1.0", > + ] > + > + [[package]] > +@@ -3153,6 +3148,23 @@ dependencies = [ > + ] > + > + [[package]] > ++name = "native-tls" > ++version = "0.2.14" > ++source = "registry+https://github.com/rust-lang/crates.io-index"; > ++checksum = > "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e" > ++dependencies = [ > ++ "libc", > ++ "log", > ++ "openssl", > ++ "openssl-probe 0.1.6", > ++ "openssl-sys", > ++ "schannel", > ++ "security-framework 2.11.1", > ++ "security-framework-sys", > ++ "tempfile", > ++] > ++ > ++[[package]] > + name = "nom" > + version = "7.1.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +@@ -3429,6 +3441,12 @@ dependencies = [ > + > + [[package]] > + name = "openssl-probe" > ++version = "0.1.6" > ++source = "registry+https://github.com/rust-lang/crates.io-index"; > ++checksum = > "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" > ++ > ++[[package]] > ++name = "openssl-probe" > + version = "0.2.1" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > + checksum = > "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe" > +@@ -4082,17 +4100,6 @@ dependencies = [ > + ] > + > + [[package]] > +-name = "rand" > +-version = "0.10.0" > +-source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8" > +-dependencies = [ > +- "chacha20", > +- "getrandom 0.4.1", > +- "rand_core 0.10.0", > +-] > +- > +-[[package]] > + name = "rand_chacha" > + version = "0.3.1" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +@@ -4131,12 +4138,6 @@ dependencies = [ > + ] > + > + [[package]] > +-name = "rand_core" > +-version = "0.10.0" > +-source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba" > +- > +-[[package]] > + name = "raw-cpuid" > + version = "11.6.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +@@ -4273,10 +4274,12 @@ dependencies = [ > + "http-body-util", > + "hyper 1.8.1", > + "hyper-rustls", > ++ "hyper-tls", > + "hyper-util", > + "js-sys", > + "log", > + "mime", > ++ "native-tls", > + "percent-encoding", > + "pin-project-lite", > + "quinn", > +@@ -4288,6 +4291,7 @@ dependencies = [ > + "serde_urlencoded", > + "sync_wrapper", > + "tokio", > ++ "tokio-native-tls", > + "tokio-rustls 0.26.4", > + "tokio-util", > + "tower", > +@@ -4576,10 +4580,10 @@ version = "0.8.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > + checksum = > "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63" > + dependencies = [ > +- "openssl-probe", > ++ "openssl-probe 0.2.1", > + "rustls-pki-types", > + "schannel", > +- "security-framework", > ++ "security-framework 3.5.1", > + ] > + > + [[package]] > +@@ -4743,11 +4747,24 @@ dependencies = [ > + > + [[package]] > + name = "security-framework" > +-version = "3.6.0" > ++version = "2.11.1" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "d17b898a6d6948c3a8ee4372c17cb384f90d2e6e912ef00895b14fd7ab54ec38" > ++checksum = > "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" > + dependencies = [ > + "bitflags", > ++ "core-foundation 0.9.4", > ++ "core-foundation-sys", > ++ "libc", > ++ "security-framework-sys", > ++] > ++ > ++[[package]] > ++name = "security-framework" > ++version = "3.5.1" > ++source = "registry+https://github.com/rust-lang/crates.io-index"; > ++checksum = > "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef" > ++dependencies = [ > ++ "bitflags", > + "core-foundation 0.10.1", > + "core-foundation-sys", > + "libc", > +@@ -4756,9 +4773,9 @@ dependencies = [ > + > + [[package]] > + name = "security-framework-sys" > +-version = "2.16.0" > ++version = "2.15.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "321c8673b092a9a42605034a9879d73cb79101ed5fd117bc9a597b89b4e9e61a" > ++checksum = > "cc1f0cbffaac4852523ce30d8bd3c5cdc873501d96ff467ca09b6767bb8cd5c0" > + dependencies = [ > + "core-foundation-sys", > + "libc", > +@@ -4925,7 +4942,7 @@ source = "registry+https://github.com/rust-lang/crates > + checksum = > "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" > + dependencies = [ > + "cfg-if", > +- "cpufeatures 0.2.17", > ++ "cpufeatures", > + "digest", > + ] > + > +@@ -4936,7 +4953,7 @@ source = "registry+https://github.com/rust-lang/crates > + checksum = > "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" > + dependencies = [ > + "cfg-if", > +- "cpufeatures 0.2.17", > ++ "cpufeatures", > + "digest", > + ] > + > +@@ -4993,9 +5010,9 @@ checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8 > + > + [[package]] > + name = "simple_asn1" > +-version = "0.6.4" > ++version = "0.6.3" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d" > ++checksum = > "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb" > + dependencies = [ > + "num-bigint", > + "num-traits", > +@@ -5144,22 +5161,23 @@ checksum = > "13c2bddecc57b384dee18652358fb23172facb8a2c > + > + [[package]] > + name = "svg-hush" > +-version = "0.9.6" > ++version = "0.9.5" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "929223e80cdcec0482207576ea09692dd71b2b559057fc172e292ecec9a97559" > ++checksum = > "8d647e9386e34dd750ba80bdb7dae2a2c50b78338515ffeb9fa7bdd3ef803bf2" > + dependencies = [ > + "base64 0.22.1", > + "data-url", > ++ "once_cell", > + "quick-error", > + "url", > +- "xml", > ++ "xml-rs", > + ] > + > + [[package]] > + name = "syn" > +-version = "2.0.116" > ++version = "2.0.114" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "3df424c70518695237746f84cede799c9c58fcb37450d7b23716568cc8bc69cb" > ++checksum = > "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" > + dependencies = [ > + "proc-macro2", > + "quote", > +@@ -5392,6 +5410,16 @@ dependencies = [ > + ] > + > + [[package]] > ++name = "tokio-native-tls" > ++version = "0.3.1" > ++source = "registry+https://github.com/rust-lang/crates.io-index"; > ++checksum = > "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" > ++dependencies = [ > ++ "native-tls", > ++ "tokio", > ++] > ++ > ++[[package]] > + name = "tokio-rustls" > + version = "0.24.1" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +@@ -5462,9 +5490,9 @@ dependencies = [ > + > + [[package]] > + name = "toml" > +-version = "0.9.12+spec-1.1.0" > ++version = "0.9.11+spec-1.1.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "cf92845e79fc2e2def6a5d828f0801e29a2f8acc037becc5ab08595c7d5e9863" > ++checksum = > "f3afc9a848309fe1aaffaed6e1546a7a14de1f935dc9d89d32afd9a44bab7c46" > + dependencies = [ > + "serde_core", > + "serde_spanned 1.0.4", > +@@ -5507,9 +5535,9 @@ dependencies = [ > + > + [[package]] > + name = "toml_parser" > +-version = "1.0.9+spec-1.1.0" > ++version = "1.0.6+spec-1.1.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "702d4415e08923e7e1ef96cd5727c0dfed80b4d2fa25db9647fe5eb6f7c5a4c4" > ++checksum = > "a3198b4b0a8e11f09dd03e133c0280504d0801269e9afa46362ffde1cbeebf44" > + dependencies = [ > + "winnow 0.7.14", > + ] > +@@ -5714,9 +5742,9 @@ checksum = "dbc4bc3a9f746d862c45cb89d705aa10f187bb96c7 > + > + [[package]] > + name = "unicode-ident" > +-version = "1.0.24" > ++version = "1.0.23" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" > ++checksum = > "537dd038a89878be9b64dd4bd1b260315c1bb94f4d784956b81e27a088d9a09e" > + > + [[package]] > + name = "unicode-segmentation" > +@@ -5769,11 +5797,11 @@ checksum = > "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27 > + > + [[package]] > + name = "uuid" > +-version = "1.21.0" > ++version = "1.20.0" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "b672338555252d43fd2240c714dc444b8c6fb0a5c5335e65a07bba7742735ddb" > ++checksum = > "ee48d38b119b0cd71fe4141b30f5ba9c7c5d9f4e7a3a8b4a674e4b6ef789976f" > + dependencies = [ > +- "getrandom 0.4.1", > ++ "getrandom 0.3.4", > + "js-sys", > + "serde_core", > + "wasm-bindgen", > +@@ -5840,7 +5868,7 @@ dependencies = [ > + "pastey 0.2.1", > + "percent-encoding", > + "pico-args", > +- "rand 0.10.0", > ++ "rand 0.9.2", > + "regex", > + "reqsign", > + "reqwest", > +@@ -6637,10 +6665,10 @@ dependencies = [ > + ] > + > + [[package]] > +-name = "xml" > +-version = "1.2.1" > ++name = "xml-rs" > ++version = "0.8.28" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "b8aa498d22c9bbaf482329839bc5620c46be275a19a812e9a22a2b07529a642a" > ++checksum = > "3ae8337f8a065cfc972643663ea4279e04e7256de865aa66fe25cec5fb912d3f" > + > + [[package]] > + name = "xmlparser" > +@@ -6778,9 +6806,9 @@ dependencies = [ > + > + [[package]] > + name = "zmij" > +-version = "1.0.21" > ++version = "1.0.20" > + source = "registry+https://github.com/rust-lang/crates.io-index"; > +-checksum = > "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa" > ++checksum = > "4de98dfa5d5b7fef4ee834d0073d560c9ca7b6c46a71d058c48db7960f8cfaf7" > + > + [[package]] > + name = "zstd" > Index: patches/patch-Cargo_toml > =================================================================== > RCS file: /cvs/ports/security/vaultwarden/patches/Attic/patch-Cargo_toml,v > diff -u -p -r1.6.2.1 patch-Cargo_toml > --- patches/patch-Cargo_toml 11 Feb 2026 07:49:57 -0000 1.6.2.1 > +++ patches/patch-Cargo_toml 24 Feb 2026 20:16:39 -0000 > @@ -9,3 +9,66 @@ Index: Cargo.toml > license = "AGPL-3.0-only" > repository = "https://github.com/dani-garcia/vaultwarden"; > publish = false > +@@ -78,7 +78,7 @@ rmpv = "1.3.1" # MessagePack library > + dashmap = "6.1.0" > + > + # Async futures > +-futures = "0.3.32" > ++futures = "0.3.31" > + tokio = { version = "1.49.0", features = ["rt-multi-thread", "fs", > "io-util", "parking_lot", "time", "signal", "net"] } > + tokio-util = { version = "0.7.18", features = ["compat"]} > + > +@@ -98,12 +98,12 @@ diesel-derive-newtype = "2.1.2" > + libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = > true } > + > + # Crypto-related libraries > +-rand = "0.10.0" > ++rand = "0.9.2" > + ring = "0.17.14" > + subtle = "2.6.1" > + > + # UUID generation > +-uuid = { version = "1.21.0", features = ["v4"] } > ++uuid = { version = "1.20.0", features = ["v4"] } > + > + # Date and time libraries > + chrono = { version = "0.4.43", features = ["clock", "serde"], > default-features = false } > +@@ -152,14 +152,14 @@ html5gum = "0.8.3" > + regex = { version = "1.12.3", features = ["std", "perf", "unicode-perl"], > default-features = false } > + data-url = "0.3.2" > + bytes = "1.11.1" > +-svg-hush = "0.9.6" > ++svg-hush = "0.9.5" > + > + # Cache function results (Used for version check and favicon fetching) > + cached = { version = "0.56.0", features = ["async"] } > + > + # Used for custom short lived cookie jar during favicon extraction > + cookie = "0.18.1" > +-cookie_store = "0.22.1" > ++cookie_store = "0.22.0" > + > + # Used by U2F, JWT and PostgreSQL > + openssl = "0.10.75" > +@@ -172,7 +172,7 @@ pastey = "0.2.1" > + governor = "0.10.4" > + > + # OIDC for SSO > +-openidconnect = { version = "4.0.1", features = ["reqwest", "rustls-tls"] } > ++openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] } > + mini-moka = "0.10.3" > + > + # Check client versions for specific features. > +@@ -198,9 +198,9 @@ opendal = { version = "0.55.0", features = ["services- > + > + # For retrieving AWS credentials, including temporary SSO credentials > + anyhow = { version = "1.0.101", optional = true } > +-aws-config = { version = "1.8.14", features = ["behavior-version-latest", > "rt-tokio", "credentials-process", "sso"], default-features = false, optional > = true } > +-aws-credential-types = { version = "1.2.13", optional = true } > +-aws-smithy-runtime-api = { version = "1.11.5", optional = true } > ++aws-config = { version = "1.8.13", features = ["behavior-version-latest", > "rt-tokio", "credentials-process", "sso"], default-features = false, optional > = true } > ++aws-credential-types = { version = "1.2.11", optional = true } > ++aws-smithy-runtime-api = { version = "1.11.3", optional = true } > + http = { version = "1.4.0", optional = true } > + reqsign = { version = "0.16.5", optional = true } > + > Index: patches/patch-src_api_core_accounts_rs > =================================================================== > RCS file: patches/patch-src_api_core_accounts_rs > diff -N patches/patch-src_api_core_accounts_rs > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_api_core_accounts_rs 24 Feb 2026 20:16:39 -0000 > @@ -0,0 +1,17 @@ > +Index: src/api/core/accounts.rs > +--- src/api/core/accounts.rs.orig > ++++ src/api/core/accounts.rs > +@@ -1193,9 +1193,10 @@ async fn password_hint(data: Json<PasswordHintData>, c > + // There is still a timing side channel here in that the > code > + // paths that send mail take noticeably longer than ones > that > + // don't. Add a randomized sleep to mitigate this somewhat. > +- use rand::{rngs::SmallRng, RngExt}; > +- let mut rng: SmallRng = rand::make_rng(); > +- let sleep_ms = rng.random_range(900..=1100) as u64; > ++ use rand::{rngs::SmallRng, Rng, SeedableRng}; > ++ let mut rng = SmallRng::from_os_rng(); > ++ let delta: i32 = 100; > ++ let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) > as u64; > + > tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await; > + Ok(()) > + } else { > Index: patches/patch-src_api_identity_rs > =================================================================== > RCS file: patches/patch-src_api_identity_rs > diff -N patches/patch-src_api_identity_rs > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_api_identity_rs 24 Feb 2026 20:16:39 -0000 > @@ -0,0 +1,17 @@ > +Index: src/api/identity.rs > +--- src/api/identity.rs.orig > ++++ src/api/identity.rs > +@@ -977,9 +977,10 @@ async fn register_verification_email( > + // There is still a timing side channel here in that the code > + // paths that send mail take noticeably longer than ones that > don't. > + // Add a randomized sleep to mitigate this somewhat. > +- use rand::{rngs::SmallRng, RngExt}; > +- let mut rng: SmallRng = rand::make_rng(); > +- let sleep_ms = rng.random_range(900..=1100) as u64; > ++ use rand::{rngs::SmallRng, Rng, SeedableRng}; > ++ let mut rng = SmallRng::from_os_rng(); > ++ let delta: i32 = 100; > ++ let sleep_ms = (1_000 + rng.random_range(-delta..=delta)) as > u64; > + > tokio::time::sleep(tokio::time::Duration::from_millis(sleep_ms)).await; > + } else { > + mail::send_register_verify_email(&data.email, &token).await?; > Index: patches/patch-src_crypto_rs > =================================================================== > RCS file: patches/patch-src_crypto_rs > diff -N patches/patch-src_crypto_rs > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_crypto_rs 24 Feb 2026 20:16:39 -0000 > @@ -0,0 +1,19 @@ > +Index: src/crypto.rs > +--- src/crypto.rs.orig > ++++ src/crypto.rs > +@@ -55,13 +55,13 @@ pub fn encode_random_bytes<const N: usize>(e: &Encodin > + /// Generates a random string over a specified alphabet. > + pub fn get_random_string(alphabet: &[u8], num_chars: usize) -> String { > + // Ref: > https://rust-lang-nursery.github.io/rust-cookbook/algorithms/randomness.html > +- use rand::RngExt; > ++ use rand::Rng; > + let mut rng = rand::rng(); > + > + (0..num_chars) > + .map(|_| { > + let i = rng.random_range(0..alphabet.len()); > +- char::from(alphabet[i]) > ++ alphabet[i] as char > + }) > + .collect() > + } > -- wbr, Kirill
