Re: SECURITY UPDATE security/vaultwarden-1.33.0

On 1/26/2025 9:58 AM, Bjorn Ketelaars wrote:

On Sun 26/01/2025 11:56, Kirill A. Korinsky wrote:  

On Sun, 26 Jan 2025 09:57:04 +0100,  Kirill A. Korinsky <kirill@korins.ky> wrote:  

  On Sat, 25 Jan 2025 22:05:57 +0100,  Bjorn Ketelaars <bket@openbsd.org> wrote:  

  Diff below updates vaultwarden to 1.33.0, which contains 3 security  fixes:  - GHSA-f7r5-w49x-gxm3: This vulnerability is only possible if you do not    have an ADMIN_TOKEN configured and open links or pages you should not    trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your    admin environment save.  - GHSA-h6cc-rc6q-23j4: This vulnerability is only possible if someone    was able to gain access to your Vaultwarden Admin Backend. The    attacker could then change some settings to use sendmail as mail agent    but adjust the settings in such a way that it would use a shell    command.  It then also needed to craft a special favicon image which    would have the commands embedded to run during for example sending a    test email.  - GHSA-j4h8-vch3-f797: This vulnerability affects all users who have    multiple Organizations and users which are able to create a new    organization or have admin or owner rights on at least one    organization. The attacker does need to know the Organization UUID of    the Organization it want's to attack or compromise though.    Overview on changes can be found at  https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.    Run tested on amd64.    OK/comments?    

  Tested on -current/amd64 with www/vaultwarden-web-2025.1.1.    OK kirill@ for both ports.    Do you plan to backport it to -stable?    

  Well, it requires some effort to backport vaultwarden to -stable.    Here the diff which builds on 7.6.    I had tested it with www/vaultwarden-web-2025.1.1 on 7.6/amd64, no  regression with chrome plugin and iOS client.    Ok?  

  Ah, great! Builds on 7.6.    OK bket@    Kirill, when you are ready to commit to 7.6, Could you also commit the  vaultwarden and vaultwarden-web updates to current?    As the vaultwarden update deals with several security issues I would  propose _not_ to await for an ok from aisha@ (maintainer).  

Sorry wasn't checking email for the weekend.

It builds fine for me on 7.6, so OK aisha.

One thing about these kinds of security fixes is I'm never sure if the problem is only present in the part of the code in the patch. Given that they have had quite a few CVEs in the organizations part of the code... not sure how many changes they did in other parts of the organizations code in between releases.

But thanks a lot for backporting.

Aisha