Download raw body.
UPDATE security/vaultwarden-1.32.5
Diff below updates vaultwarden to 1.32.5. From https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5: This release further fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible. The contents of these reports will be disclosed publicly in the future. Not sure how many of these CVE fixes to expect. Run tested on amd64. I think it makes sense to backport this update to -stable as well. OK for committing to -current and -stable / comments? diff --git Makefile Makefile index 08fe2180a59..8e9da758a90 100644 --- Makefile +++ Makefile @@ -8,7 +8,7 @@ BROKEN-i386 = raw-cpuid-10.2.0/src/lib.rs:80:37 "could not find `arch` in `self COMMENT = unofficial bitwarden compatible server -DIST_TUPLE = github dani-garcia vaultwarden 1.32.4 . +DIST_TUPLE = github dani-garcia vaultwarden 1.32.5 . CATEGORIES = security diff --git crates.inc crates.inc index d45d144cac1..80de8a24ece 100644 --- crates.inc +++ crates.inc @@ -53,6 +53,7 @@ MODCARGO_CRATES += chrono 0.4.38 # MIT OR Apache-2.0 MODCARGO_CRATES += chrono-tz 0.10.0 # MIT OR Apache-2.0 MODCARGO_CRATES += chrono-tz-build 0.4.0 # MIT OR Apache-2.0 MODCARGO_CRATES += chumsky 0.9.3 # MIT +MODCARGO_CRATES += codemap 0.1.3 # MIT/Apache-2.0 MODCARGO_CRATES += concurrent-queue 2.5.0 # Apache-2.0 OR MIT MODCARGO_CRATES += cookie 0.18.1 # MIT OR Apache-2.0 MODCARGO_CRATES += cookie_store 0.21.1 # MIT OR Apache-2.0 @@ -120,6 +121,7 @@ MODCARGO_CRATES += gimli 0.31.1 # MIT OR Apache-2.0 MODCARGO_CRATES += glob 0.3.1 # MIT OR Apache-2.0 MODCARGO_CRATES += gloo-timers 0.3.0 # MIT OR Apache-2.0 MODCARGO_CRATES += governor 0.7.0 # MIT +MODCARGO_CRATES += grass_compiler 0.13.4 # MIT MODCARGO_CRATES += h2 0.3.26 # MIT MODCARGO_CRATES += h2 0.4.6 # MIT MODCARGO_CRATES += half 1.8.3 # MIT OR Apache-2.0 @@ -177,6 +179,7 @@ MODCARGO_CRATES += job_scheduler_ng 2.0.5 # MIT OR Apache-2.0 MODCARGO_CRATES += js-sys 0.3.72 # MIT OR Apache-2.0 MODCARGO_CRATES += jsonwebtoken 9.3.0 # MIT MODCARGO_CRATES += kv-log-macro 1.0.7 # MIT OR Apache-2.0 +MODCARGO_CRATES += lasso 0.7.3 # MIT OR Apache-2.0 MODCARGO_CRATES += lazy_static 1.5.0 # MIT OR Apache-2.0 MODCARGO_CRATES += lettre 0.11.10 # MIT MODCARGO_CRATES += libc 0.2.162 # MIT OR Apache-2.0 @@ -242,6 +245,7 @@ MODCARGO_CRATES += pest_meta 2.7.14 # MIT OR Apache-2.0 MODCARGO_CRATES += phf 0.11.2 # MIT MODCARGO_CRATES += phf_codegen 0.11.2 # MIT MODCARGO_CRATES += phf_generator 0.11.2 # MIT +MODCARGO_CRATES += phf_macros 0.11.2 # MIT MODCARGO_CRATES += phf_shared 0.11.2 # MIT MODCARGO_CRATES += pico-args 0.5.0 # MIT MODCARGO_CRATES += pin-project-lite 0.2.15 # Apache-2.0 OR MIT diff --git distinfo distinfo index c94007166bc..253c2791925 100644 --- distinfo +++ distinfo @@ -53,6 +53,7 @@ SHA256 (cargo/chrono-0.4.38.tar.gz) = oh+TbfF3G/Yrd/BHtybEYl/y6KpgfAHsBuWgW9hGNA SHA256 (cargo/chrono-tz-0.10.0.tar.gz) = zW3YBG0AcjpZovjF8pXFFbm7mjMe5Pjz1N1J5Cis07Y= SHA256 (cargo/chrono-tz-build-0.4.0.tar.gz) = 6U/qNNd6JFIp53Rr0r63hs0qiW8wb/SR+4zsswdLEKc= SHA256 (cargo/chumsky-0.9.3.tar.gz) = juvWZ0ShXe0Ulgq0zNv7Ua07gfUfPwSoCtrJjJhTlsk= +SHA256 (cargo/codemap-0.1.3.tar.gz) = uedptcjIKDmCqYfG6UjlQCVPEFjVp0uHlJFNTvX8KiQ= SHA256 (cargo/concurrent-queue-2.5.0.tar.gz) = TKAZeu4m0a43RF7lMv785DJR0kzHwWZ5n01GgX8dOXM= SHA256 (cargo/cookie-0.18.1.tar.gz) = Td7zOjOakeqJ+1MVG9CkaJz84nBVwpHfpplFR10ix0c= SHA256 (cargo/cookie_store-0.21.1.tar.gz) = LqyQGCj4ilJB7gYAlQq5gRSKGPL3VpAP+6GxJcpqPvk= @@ -120,6 +121,7 @@ SHA256 (cargo/gimli-0.31.1.tar.gz) = B+KO24CQDBnCjxBy8uiuyn+gayPNQWnO/hr1qjJgeD8 SHA256 (cargo/glob-0.3.1.tar.gz) = 0vq8+9yH9HWDN8pTX7QabXAbZWk844KH2FbRZ0VR7Js= SHA256 (cargo/gloo-timers-0.3.0.tar.gz) = u7FDz5YJmAIDPg1PSWOxn9Lgtyi88HbNnPf2Y08JKZQ= SHA256 (cargo/governor-0.7.0.tar.gz) = B0aqdl23i1IUUe90IhZjtXullb+D910M4jzAlEfIE58= +SHA256 (cargo/grass_compiler-0.13.4.tar.gz) = LZ499/AiLOUYQVSXPSR8WR2arcKM56c8bNMRAMn6z/Y= SHA256 (cargo/h2-0.3.26.tar.gz) = gf5SeoieFTLaXFJWhtltTC50zdNFut+N/vn2s53V9eg= SHA256 (cargo/h2-0.4.6.tar.gz) = Uk6KxpmUIfSahGwtRBHzN+U0l9jsVdZ3U77/pDxdkgU= SHA256 (cargo/half-1.8.3.tar.gz) = G0Pt4X8hhk6Bvi+mVBEL8eeTd0I42G74VVw35lGcBAM= @@ -177,6 +179,7 @@ SHA256 (cargo/job_scheduler_ng-2.0.5.tar.gz) = h8JSIH8yPimW0Id1nr3P+PYIzT6qmJaQm SHA256 (cargo/js-sys-0.3.72.tar.gz) = aojxvaK9dbBFKhR4STfXlnIv3r/lDfmYrrPwt2AwGak= SHA256 (cargo/jsonwebtoken-9.3.0.tar.gz) = ua4QGT0lBR50lF8eotC0LgPMO4kPfkzF+qRJl9gIGT8= SHA256 (cargo/kv-log-macro-1.0.7.tar.gz) = DeizAyl2Na1XyfUFn9nO56R/jo2qCd8PzQfdOfsil38= +SHA256 (cargo/lasso-0.7.3.tar.gz) = bhTtpQo0lLO/e5zlHFJDSnYeOD1yOM4d1dzsL7wT6fs= SHA256 (cargo/lazy_static-1.5.0.tar.gz) = u9K8tMlj8t2uBqLvx+nzWRMSRzxQxmheHymAaDFuZv4= SHA256 (cargo/lettre-0.11.10.tar.gz) = AWHkUjSOOZ3raFugXlXuEWyulBD09R/kLVlzYURFIdk= SHA256 (cargo/libc-0.2.162.tar.gz) = GNKH3mf+Vf1+FYH+kz2WWlqUd7OOlJz6n4V07wFQY5g= @@ -242,6 +245,7 @@ SHA256 (cargo/pest_meta-2.7.14.tar.gz) = t12ipwz02ct2gzyZCsnNOSPJqJBaiSl4nONHyEV SHA256 (cargo/phf-0.11.2.tar.gz) = reLYuPM8czO1G88EKNN+IX6fMhkq5HchVvZQY7jOA9w= SHA256 (cargo/phf_codegen-0.11.2.tar.gz) = 6NOWiNNZ5rNGVNMo4mIjRmLRbMD2Dsjcvl5xhwk0Klo= SHA256 (cargo/phf_generator-0.11.2.tar.gz) = SOTMZMKtnr5nDLj9ad1QrjAWUDkugcBfm/yy1b28JLA= +SHA256 (cargo/phf_macros-0.11.2.tar.gz) = NERkbihmBlh+SfO88WebjO8dwsXswp3ayv/DBRgNRks= SHA256 (cargo/phf_shared-0.11.2.tar.gz) = kPy5Xu94TCrHkRnR3YGeFitdqHLObzw6vh6MocCC9ys= SHA256 (cargo/pico-args-0.5.0.tar.gz) = W+Fnp6827iL+MRUFG8UfbmxwVMk0jijetPSb1vcFoxU= SHA256 (cargo/pin-project-lite-0.2.15.tar.gz) = kVoeFGU13pFj85h7iUTtjPSaGLsAVrzrzc7OOFzs5P8= @@ -453,7 +457,7 @@ SHA256 (cargo/zerofrom-derive-0.1.4.tar.gz) = Dqe0o2N+qGac7fDx/Vwoahfz3pe43Vpwps SHA256 (cargo/zeroize-1.8.1.tar.gz) = ztNniih5swMG0yP0VCYmaXpGSpfAoHya6/frymXNTd4= SHA256 (cargo/zerovec-0.10.4.tar.gz) = qiuJPXnfI7+xLVRhAY1AjqGd+v52wsfvbU66YU+P8Hk= SHA256 (cargo/zerovec-derive-0.10.3.tar.gz) = bq+m37F1hOo+K9bnbgzBWtevErCavdHKVZYb7ZsQY8Y= -SHA256 (dani-garcia-vaultwarden-1.32.4.tar.gz) = fPmlxzVt9CsNoxikRr9XbCqjQFgexMcp8cthZ1TPZq0= +SHA256 (dani-garcia-vaultwarden-1.32.5.tar.gz) = MFsZXkZM2DGrwxESrsna1jS0QyMGnP49xnXt5Bo6Qtk= SIZE (cargo/addr2line-0.24.2.tar.gz) = 39015 SIZE (cargo/adler2-2.0.0.tar.gz) = 13529 SIZE (cargo/ahash-0.8.11.tar.gz) = 43607 @@ -509,6 +513,7 @@ SIZE (cargo/chrono-0.4.38.tar.gz) = 220559 SIZE (cargo/chrono-tz-0.10.0.tar.gz) = 373596 SIZE (cargo/chrono-tz-build-0.4.0.tar.gz) = 10660 SIZE (cargo/chumsky-0.9.3.tar.gz) = 75112 +SIZE (cargo/codemap-0.1.3.tar.gz) = 9483 SIZE (cargo/concurrent-queue-2.5.0.tar.gz) = 22654 SIZE (cargo/cookie-0.18.1.tar.gz) = 43551 SIZE (cargo/cookie_store-0.21.1.tar.gz) = 34692 @@ -576,6 +581,7 @@ SIZE (cargo/gimli-0.31.1.tar.gz) = 279515 SIZE (cargo/glob-0.3.1.tar.gz) = 18880 SIZE (cargo/gloo-timers-0.3.0.tar.gz) = 5530 SIZE (cargo/governor-0.7.0.tar.gz) = 131769 +SIZE (cargo/grass_compiler-0.13.4.tar.gz) = 166416 SIZE (cargo/h2-0.3.26.tar.gz) = 168315 SIZE (cargo/h2-0.4.6.tar.gz) = 173912 SIZE (cargo/half-1.8.3.tar.gz) = 41624 @@ -633,6 +639,7 @@ SIZE (cargo/job_scheduler_ng-2.0.5.tar.gz) = 14886 SIZE (cargo/js-sys-0.3.72.tar.gz) = 54096 SIZE (cargo/jsonwebtoken-9.3.0.tar.gz) = 48987 SIZE (cargo/kv-log-macro-1.0.7.tar.gz) = 16842 +SIZE (cargo/lasso-0.7.3.tar.gz) = 78870 SIZE (cargo/lazy_static-1.5.0.tar.gz) = 14025 SIZE (cargo/lettre-0.11.10.tar.gz) = 146373 SIZE (cargo/libc-0.2.162.tar.gz) = 769354 @@ -698,6 +705,7 @@ SIZE (cargo/pest_meta-2.7.14.tar.gz) = 42079 SIZE (cargo/phf-0.11.2.tar.gz) = 21569 SIZE (cargo/phf_codegen-0.11.2.tar.gz) = 12977 SIZE (cargo/phf_generator-0.11.2.tar.gz) = 14190 +SIZE (cargo/phf_macros-0.11.2.tar.gz) = 4748 SIZE (cargo/phf_shared-0.11.2.tar.gz) = 14284 SIZE (cargo/pico-args-0.5.0.tar.gz) = 11545 SIZE (cargo/pin-project-lite-0.2.15.tar.gz) = 29683 @@ -909,4 +917,4 @@ SIZE (cargo/zerofrom-derive-0.1.4.tar.gz) = 8232 SIZE (cargo/zeroize-1.8.1.tar.gz) = 20029 SIZE (cargo/zerovec-0.10.4.tar.gz) = 126398 SIZE (cargo/zerovec-derive-0.10.3.tar.gz) = 19438 -SIZE (dani-garcia-vaultwarden-1.32.4.tar.gz) = 619528 +SIZE (dani-garcia-vaultwarden-1.32.5.tar.gz) = 623393
UPDATE security/vaultwarden-1.32.5