On Mon, 27 Jan 2025 14:17:17 +0100, Aisha Tammy <openbsd.po...@aisha.cc> wrote: > > On 1/26/2025 9:58 AM, Bjorn Ketelaars wrote: > > On Sun 26/01/2025 11:56, Kirill A. Korinsky wrote: > >> On Sun, 26 Jan 2025 09:57:04 +0100, > >> Kirill A. Korinsky<kir...@korins.ky> wrote: > >>> On Sat, 25 Jan 2025 22:05:57 +0100, > >>> Bjorn Ketelaars<b...@openbsd.org> wrote: > >>>> Diff below updates vaultwarden to 1.33.0, which contains 3 security > >>>> fixes: > >>>> - GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not > >>>> have an ADMIN_TOKEN configured and open links or pages you should not > >>>> trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your > >>>> admin environment save. > >>>> - GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone > >>>> was able to gain access to your Vaultwarden Admin Backend. The > >>>> attacker could then change some settings to use sendmail as mail agent > >>>> but adjust the settings in such a way that it would use a shell > >>>> command. It then also needed to craft a special favicon image which > >>>> would have the commands embedded to run during for example sending a > >>>> test email. > >>>> - GHSA-j4h8-vch3-f797: This vulnerability affects all users who have > >>>> multiple Organizations and users which are able to create a new > >>>> organization or have admin or owner rights on at least one > >>>> organization. The attacker does need to know the Organization UUID of > >>>> the Organization it want's to attack or compromise though. > >>>> > >>>> Overview on changes can be found at > >>>> https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0. > >>>> > >>>> Run tested on amd64. > >>>> > >>>> OK/comments? > >>>> > >>> Tested on -current/amd64 with www/vaultwarden-web-2025.1.1. > >>> > >>> OK kirill@ for both ports. > >>> > >>> Do you plan to backport it to -stable? > >>> > >> Well, it requires some effort to backport vaultwarden to -stable. > >> > >> Here the diff which builds on 7.6. > >> > >> I had tested it with www/vaultwarden-web-2025.1.1 on 7.6/amd64, no > >> regression with chrome plugin and iOS client. > >> > >> Ok? > > Ah, great! Builds on 7.6. > > > > OK bket@ > > > > Kirill, when you are ready to commit to 7.6, Could you also commit the > > vaultwarden and vaultwarden-web updates to current? > > > > As the vaultwarden update deals with several security issues I would > > propose _not_ to await for an ok from aisha@ (maintainer). > > > Sorry wasn't checking email for the weekend. > > It builds fine for me on 7.6, so OK aisha. > > One thing about these kinds of security fixes is I'm never sure if the > problem is only present in the part of the code in the patch. Given that > they have had quite a few CVEs in the organizations part of the code... > not sure how many changes they did in other parts of the organizations > code in between releases. > > But thanks a lot for backporting. >
Thanks for OK, I'll commit both diff shortly. FYI: I had started a discussion about their policy with rust compillers requiremens: https://github.com/dani-garcia/vaultwarden/discussions/5456 -- wbr, Kirill
