Software-update: Vaultwarden 1.35.5

Bitwarden is een wachtwoordmanager die regelmatig op Tweakers voorbijkomt. Het is opensource en heeft ook de mogelijkheid om het op een eigen server te draaien. Ontwikkelaar Daniel García heeft een onofficiële in Rust ontwikkelde implementatie van Bitwarden gemaakt, in eerste instantie onder de naam Bitwarden_rs maar sinds een paar jaar als Vaultwarden. Het gaat alleen om de serverkant van de wachtwoordmanager; voor de clients kan de officiële software van Bitwarden worden gebruikt. Vaultwarden is lichter in gebruik en heeft ook functionaliteit waarvoor bij Bitwarden moet worden betaald, waaronder functionaliteit voor het beheer van wachtwoorden op organisatieniveau. Versie 1.35.5 van Vaultwarden is uitgekomen en hier zijn de volgende veranderingen en verbeteringen in aangebracht:

Security Fixes

This release contains security fixes for the following advisories. We strongly advice to update as soon as possible.

GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another OrganizationGHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation

GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault.

GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization

GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotation

These are private for now, pending CVE assignment.

Notes

The admin templates have changed, please update them if you override these via templates.

The admin templates have changed, please update them if you override these via templates.

What's Changed

Apply policies only to confirmed members in #6892Feat(config): add feature flag for Safari account switching in #6891Fix: add ForcePasswordReset to api key login in #6904Add Webauthn related origins flag to known flags. in #6900Add 30s cache to SSO exchange_refresh_token in #6866Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile in #6853Misc updates and fixes in #6910Support new desktop origin on CORS in #6920Fix checkout action version in #6921Fix apikey login in #6922Fix email header base64 padding in #6961Update Feature Flags in #6981Update crates and GHA in #6980Use protected CI environment in #7004Fix 2FA Remember to actually be 30 days in #6929Misc Updates in #7027Switch to attest action in #7017Rotate refresh-tokens on sstamp reset in #7031Misc org fixes in #7032Fix empty string FolderId in #7048Disable deployments for release env in #7033Fix Send icons in #7051Prevent managers from creating collections in #6890Change SQLite backup to use VACUUM INTO query in #6989Handle SIGTERM and SIGQUIT shutdown signals. in #7008Do not display unavailable 2FA options in #7013Fix logout push identifiers and send logout before clearing devices in #7047Fix windows build issues in #7065Crate and GHA updates in #7081

Apply policies only to confirmed members in #6892

Feat(config): add feature flag for Safari account switching in #6891

Fix: add ForcePasswordReset to api key login in #6904

Add Webauthn related origins flag to known flags. in #6900

Add 30s cache to SSO exchange_refresh_token in #6866

Add cxp-import-mobile and cxp-export-mobile: feature flags on mobile in #6853

Misc updates and fixes in #6910

Support new desktop origin on CORS in #6920

Fix checkout action version in #6921

Fix apikey login in #6922

Fix email header base64 padding in #6961

Update Feature Flags in #6981

Update crates and GHA in #6980

Use protected CI environment in #7004

Fix 2FA Remember to actually be 30 days in #6929

Misc Updates in #7027

Switch to attest action in #7017

Rotate refresh-tokens on sstamp reset in #7031

Misc org fixes in #7032

Fix empty string FolderId in #7048

Disable deployments for release env in #7033

Fix Send icons in #7051

Prevent managers from creating collections in #6890

Change SQLite backup to use VACUUM INTO query in #6989

Handle SIGTERM and SIGQUIT shutdown signals. in #7008

Do not display unavailable 2FA options in #7013

Fix logout push identifiers and send logout before clearing devices in #7047

Fix windows build issues in #7065

Crate and GHA updates in #7081

Source: Tweakers.net