On Sun 26/01/2025 11:56, Kirill A. Korinsky wrote: > On Sun, 26 Jan 2025 09:57:04 +0100, > Kirill A. Korinsky <kir...@korins.ky> wrote: > > > > On Sat, 25 Jan 2025 22:05:57 +0100, > > Bjorn Ketelaars <b...@openbsd.org> wrote: > > > > > > Diff below updates vaultwarden to 1.33.0, which contains 3 security > > > fixes: > > > - GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not > > > have an ADMIN_TOKEN configured and open links or pages you should not > > > trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your > > > admin environment save. > > > - GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone > > > was able to gain access to your Vaultwarden Admin Backend. The > > > attacker could then change some settings to use sendmail as mail agent > > > but adjust the settings in such a way that it would use a shell > > > command. It then also needed to craft a special favicon image which > > > would have the commands embedded to run during for example sending a > > > test email. > > > - GHSA-j4h8-vch3-f797: This vulnerability affects all users who have > > > multiple Organizations and users which are able to create a new > > > organization or have admin or owner rights on at least one > > > organization. The attacker does need to know the Organization UUID of > > > the Organization it want's to attack or compromise though. > > > > > > Overview on changes can be found at > > > https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0. > > > > > > Run tested on amd64. > > > > > > OK/comments? > > > > > > > Tested on -current/amd64 with www/vaultwarden-web-2025.1.1. > > > > OK kirill@ for both ports. > > > > Do you plan to backport it to -stable? > > > > Well, it requires some effort to backport vaultwarden to -stable. > > Here the diff which builds on 7.6. > > I had tested it with www/vaultwarden-web-2025.1.1 on 7.6/amd64, no > regression with chrome plugin and iOS client. > > Ok?
Ah, great! Builds on 7.6. OK bket@ Kirill, when you are ready to commit to 7.6, Could you also commit the vaultwarden and vaultwarden-web updates to current? As the vaultwarden update deals with several security issues I would propose _not_ to await for an ok from aisha@ (maintainer).
