Re: SECURITY UPDATE security/vaultwarden-1.33.0

Mon, 27 Jan 2025 06:18:08 -0800 


On 1/26/2025 9:58 AM, Bjorn Ketelaars wrote:

On Sun 26/01/2025 11:56, Kirill A. Korinsky wrote:

On Sun, 26 Jan 2025 09:57:04 +0100,
Kirill A. Korinsky<kir...@korins.ky> wrote:

On Sat, 25 Jan 2025 22:05:57 +0100,
Bjorn Ketelaars<b...@openbsd.org> wrote:

Diff below updates vaultwarden to 1.33.0, which contains 3 security
fixes:
- GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not
   have an ADMIN_TOKEN configured and open links or pages you should not
   trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your
   admin environment save.
- GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone
   was able to gain access to your Vaultwarden Admin Backend. The
   attacker could then change some settings to use sendmail as mail agent
   but adjust the settings in such a way that it would use a shell
   command.  It then also needed to craft a special favicon image which
   would have the commands embedded to run during for example sending a
   test email.
- GHSA-j4h8-vch3-f797: This vulnerability affects all users who have
   multiple Organizations and users which are able to create a new
   organization or have admin or owner rights on at least one
   organization. The attacker does need to know the Organization UUID of
   the Organization it want's to attack or compromise though.

Overview on changes can be found at
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.

Run tested on amd64.

OK/comments?


Tested on -current/amd64 with www/vaultwarden-web-2025.1.1.

OK kirill@ for both ports.

Do you plan to backport it to -stable?


Well, it requires some effort to backport vaultwarden to -stable.

Here the diff which builds on 7.6.

I had tested it with www/vaultwarden-web-2025.1.1 on 7.6/amd64, no
regression with chrome plugin and iOS client.

Ok?

Ah, great! Builds on 7.6.

OK bket@

Kirill, when you are ready to commit to 7.6, Could you also commit the
vaultwarden and vaultwarden-web updates to current?

As the vaultwarden update deals with several security issues I would
propose _not_ to await for an ok from aisha@ (maintainer).



Sorry wasn't checking email for the weekend.

It builds fine for me on 7.6, so OK aisha.
One thing about these kinds of security fixes is I'm never sure if the problem is only present in the part of the code in the patch. Given that they have had quite a few CVEs in the organizations part of the code... not sure how many changes they did in other parts of the organizations code in between releases. 

But thanks a lot for backporting.

Aisha

Reply via email to