File vaultwarden.changes of Package vaultwarden
-------------------------------------------------------------------
Tue Feb 24 00:04:24 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.35.4
This release contains security fixes for the following
advisories. We strongly advice to update as soon as possible.
- GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker
to access a cipher from a different user (fully encrypted) if
they already know its internal UUID.
- GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with
manager-level access within an organization to modify
collections they can access, even if they do not have
management permissions for them.
- GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with
manager-level access within an organization to modify
collections they are not assigned.
These are private for now, pending CVE assignment.
What's Changed
- Update Rust and Crates and GHA by @BlackDex in #6843
- hide remember 2fa token by @stefan0xC in #6852
- fix(send_invite): invite links by @proofofcopilot in #6824
- Misc organization fixes by @BlackDex in #6867
-------------------------------------------------------------------
Tue Feb 10 20:51:38 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.35.3
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.3
-------------------------------------------------------------------
Fri Jan 9 21:00:20 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.35.2
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.2
-------------------------------------------------------------------
Tue Dec 30 14:58:02 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.35.1
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.1
-------------------------------------------------------------------
Sat Dec 27 23:16:35 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.35.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.0
-------------------------------------------------------------------
Wed Jul 30 09:34:26 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.34.3
https://github.com/dani-garcia/vaultwarden/releases/tag/1.34.3
-------------------------------------------------------------------
Sun Jul 27 20:54:16 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.34.2
https://github.com/dani-garcia/vaultwarden/releases/tag/1.34.2
-------------------------------------------------------------------
Mon May 26 21:54:43 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.34.1
https://github.com/dani-garcia/vaultwarden/releases/tag/1.34.1
-------------------------------------------------------------------
Mon May 26 20:43:45 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.34.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.34.0
-------------------------------------------------------------------
Sun Feb 9 18:55:26 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.33.2
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.2
-------------------------------------------------------------------
Mon Feb 3 13:35:49 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.33.1
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.1
-------------------------------------------------------------------
Sat Jan 25 16:51:48 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.33.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0
This release contains security fixes for the following advisories.
And we strongly advice to update as soon as possible.
GHSA-f7r5-w49x-gxm3
This vulnerability is only possible if you do not have an
ADMIN_TOKEN configured and open links or pages you should not
trust anyway. Ensure you have an ADMIN_TOKEN configured to keep
your admin environment save.
GHSA-h6cc-rc6q-23j4
This vulnerability is only possible if someone was able to gain
access to your Vaultwarden Admin Backend. The attacker could then
change some settings to use sendmail as mail agent but adjust the
settings in such a way that it would use a shell command. It then
also needed to craft a special favicon image which would have the
commands embedded to run during for example sending a test email.
GHSA-j4h8-vch3-f797
This vulnerability affects all users who have multiple
Organizations and users which are able to create a new
organization or have admin or owner rights on at least one
organization. The attacker does need to know the Organization
UUID of the Organization it want's to attack or compromise
though.
-------------------------------------------------------------------
Fri Dec 20 13:49:13 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.7
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.7
We have yet a few other security fixes for this release. We
discovered that groups were able to be edited by any admin from
any organization because the organization was not validated or
used within the query. This could potentially allow an admin from
other organizations to modify, or delete groups from any
organization if they know the uuid of the group. We suggest
people to update a.s.a.p. to mitigate this risk.
-------------------------------------------------------------------
Wed Dec 11 00:21:41 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.6
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.6
-------------------------------------------------------------------
Mon Nov 18 14:54:40 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.5
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5
-------------------------------------------------------------------
Mon Nov 11 00:45:45 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.4
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.4
-------------------------------------------------------------------
Sun Oct 27 19:16:52 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Downgrade rust to 1.81 again to allow Leap builds
-------------------------------------------------------------------
Sun Oct 27 18:31:42 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.3
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.3
-------------------------------------------------------------------
Sun Oct 13 17:14:02 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.2
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.2
-------------------------------------------------------------------
Thu Oct 3 19:17:18 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.1
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.1
-------------------------------------------------------------------
Fri Sep 20 08:49:12 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- apparmor allow more permissions (mostly around name resolution)
found while setting up an instance with postgresql
-------------------------------------------------------------------
Sun Aug 11 22:03:05 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.32.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0
-------------------------------------------------------------------
Mon Jul 8 22:29:35 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.31.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.31.0
- drop 377969ea6769bccd008203c5464eb361f685b787.patch
- cleanup accepted security from the _service file as they are
fixed in the versione update
-------------------------------------------------------------------
Mon Jun 17 21:23:50 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- add patch to build with rust 1.79
377969ea6769bccd008203c5464eb361f685b787.patch
-------------------------------------------------------------------
Tue Apr 9 14:20:39 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- switch to vendoring with filtering
-------------------------------------------------------------------
Sat Mar 2 20:10:27 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.30.5
https://github.com/dani-garcia/vaultwarden/releases/tag/1.30.4
https://github.com/dani-garcia/vaultwarden/releases/tag/1.30.5
-------------------------------------------------------------------
Thu Feb 1 23:09:52 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.30.3
https://github.com/dani-garcia/vaultwarden/releases/tag/1.30.3
-------------------------------------------------------------------
Wed Jan 31 00:30:12 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.30.2
https://github.com/dani-garcia/vaultwarden/releases/tag/1.30.2
-------------------------------------------------------------------
Tue Nov 21 15:18:41 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- instead of patching files during build with sed. just have the
proper files to begin with.
-------------------------------------------------------------------
Tue Nov 21 11:26:57 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Fix sed patching
-------------------------------------------------------------------
Sun Nov 19 23:11:22 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.30.1
https://github.com/dani-garcia/vaultwarden/releases/tag/1.30.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.30.1
-------------------------------------------------------------------
Fri Sep 1 13:29:12 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- bump rust/cargo to 1.70 to match dependencies in the package
-------------------------------------------------------------------
Fri Sep 1 11:33:17 UTC 2023 - Elisei Roca <eroca@mailbox.org>
- Update to version 1.29.2
https://github.com/dani-garcia/vaultwarden/releases/tag/1.29.2
- Minor release to fix an issue forcing user to set a master
password when logging in even when it's already set
-------------------------------------------------------------------
Tue Aug 1 09:46:59 UTC 2023 - Elisei Roca <eroca@mailbox.org>
- Fix building after switching to cargo-packaging
* fixed features flag usage, it's -F/--features
* remove [build] and [install] sections added to the .cargo/config
- Other minor spec file improvements:
* Use %{_sysconfdir} for /etc
* Fix installing multiple service files, though we only have one
- Rename vaultwarden-webvault to vaultwarden-web-vault
-------------------------------------------------------------------
Mon Jul 31 06:23:33 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Replace rust-packaging with cargo packaging
-------------------------------------------------------------------
Sun Jul 30 01:03:35 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.29.1
https://github.com/dani-garcia/vaultwarden/releases/tag/1.29.1
-------------------------------------------------------------------
Sun Jul 9 23:20:26 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.29.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.29.0
https://github.com/dani-garcia/vaultwarden/releases/tag/1.28.1
-------------------------------------------------------------------
Mon Apr 3 22:47:34 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Update to version 1.28.0
- Decode knowndevice X-Request-Email as base64url with no padding
by @jjlin in #3376
- Fix abort on password reset mail error by @BlackDex in #3390
- support /users/<uuid>/invite/resend admin api by @nikolaevn in
#3397
- always return KdfMemory and KdfParallelism by @stefan0xC in
#3398
- Fix sending out multiple websocket notifications by @BlackDex
in #3405
- Revert setcap, update rust and crates by @BlackDex in #3403
-------------------------------------------------------------------
Sun Mar 26 20:02:42 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- switch to service based building
-------------------------------------------------------------------
Fri Jan 6 15:29:11 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- as web-vault is only recommended, but not required, disable the
feature by default
-------------------------------------------------------------------
Fri Jan 6 15:13:35 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Add AppArmor profile
-------------------------------------------------------------------
Thu Jan 5 23:10:23 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
- Fork the package and cleanup for having a clean openSUSE package
-------------------------------------------------------------------
Thu Jan 5 08:34:05 UTC 2023 - Julian Röder <obs@masgalor.de>
- Update to version 1.27.0
* Group support | applied .diff by @MFijak in #2846
* Add Organizational event logging feature by @BlackDex in #2868
* Limit Cipher Note encrypted string size by @BlackDex in #2945
* fix invitations of new users when mail is disabled by @stefan0xC in #2773
* attach images in email by @stefan0xC in #2784
* allow registration without invite link by @stefan0xC in #2799
* Fix master password hint update not working. by @BlackDex in #2834
* Sync global_domains.json by @jjlin in #2840
* verify email on registration by invite by @stefan0xC in #2804
* Add /devices/knowndevice endpoint by @BlackDex in #2893
* fix: removed a double space by @GeekCornerGH in #2894
* Support Org Export for v2022.11 clients by @BlackDex in #2899
* Use constant size generic parameter for random bytes generation by @samueltardieu in #2910
* Set "Bypass admin page security" as read-only by @BlackDex in #2918
* Fully remove DuckDuckGo email service. by @BlackDex in #2919
* Added missing register endpoint to identity by @BlackDex in #2920
* Prevent DNS leak when icon regex is configured by @BlackDex in #2921
* allow managers to set groups of a collection by @stefan0xC in #2933
* Update Vaultwarden Logo's by @BlackDex in #2940
* check if sqlite folder exists by @stefan0xC in #2873
* redirect to admin login page when forward fails by @stefan0xC in #2886
* Cleanups and Fixes for Emergency Access by @BlackDex in #2936
* Fix admin repost warning. by @BlackDex in #2953
* Add dev-only query logging support by @BlackDex in #2954
* Fix managers and groups link by @BlackDex in #2947
* use a custom 404 page by @stefan0xC in #2948
* Increase privacy of masked config by @BlackDex in #2963
* use black favicon for /admin by @tessus in #2970
* Remove ctrlc crate and some updates by @BlackDex in #2971
* Revert collection queries back to left_join by @BlackDex in #2976
* Fix recover-2fa not working. by @BlackDex in #2994
* Disable groups by default and Some optimizations by @BlackDex in #2995
* Fix a panic during Yubikey register/login by @BlackDex in #3006
-------------------------------------------------------------------
Tue Oct 18 07:28:59 UTC 2022 - Julian Röder <obs@masgalor.de>
- Update to version 1.26.0
* Fix uploads from mobile clients (and dep updates) by @BlackDex in #2675
* Add support for send v2 API endpoints by @BlackDex in #2756
* External Links | Optimize behavior by @Fvbor in #2693
* Add Org user revoke feature by @BlackDex in #2698
* Change the handling of login errors. by @BlackDex in #2729
* Added support for web-vault v2022.9 by @BlackDex in #2732
* add not_found catcher for 404 errors by @stefan0xC in #2768
* Fix issue 2737, unable to create org by @BlackDex in #2738
* Rename/Fix revoke/restore endpoints by @BlackDex in #2739
* Update CSP for DuckDuckGo email forwarding by @jjlin in #2812
* check if data folder is a writable directory by @stefan0xC in #2811
* fix: tooltip typo by @djbrownbear in #2746
* Update libraries and Rust version by @BlackDex in #2758
* Fix organization vault export by @BlackDex in #2765
* allow the removal of non-confirmed owners by @stefan0xC in #2772
* v2022.9.2 expects a json response while registering by @stefan0xC in #2803
* make invitation expiration time configurable by @stefan0xC in #2805
* return more descriptive JWT validation messages by @stefan0xC in #2806
* Add CreationDate to cipher response JSON by @jjlin in #2813
- Improve systemd-integration with some distributions.
-------------------------------------------------------------------
Fri Oct 7 08:14:38 UTC 2022 - Julian Röder <obs@masgalor.de>
- Improve the build environment
* Requirements that were only introduced to satisfy the build service were removed.
Conflitcs and choices are now resolved within the project configuration.
* The rust-setup was optimized to skip unnecessary components and configurations.
-------------------------------------------------------------------
Thu Jul 28 06:34:38 UTC 2022 - Julian Röder <obs@masgalor.de>
- Update to version 1.25.2
* Fix persistent folder check within containers by @BlackDex in #2631
* Mitigate attachment/send upload issues by @BlackDex in #2650
* Fix issue with CSP and icon redirects by @BlackDex in #2624
-------------------------------------------------------------------
Mon Jul 18 07:51:18 UTC 2022 - Julian Röder <obs@masgalor.de>
- Change the buildrecipe to build all binaries on the intended target system, instead of reusing prebuilt binaries.
- Update to version 1.25.1
* Sync global_domains.json by @jjlin in #2555
* Add TMP_FOLDER to .env.template by @fox34 in #2489
* Allow FireFox relay in CSP. by @BlackDex in #2565
* Fix hidden ciphers within organizational view. by @BlackDex in #2567
* Add password_hints_allowed config option by @jjlin in #2586
* Fall back to move_copy_to if persist_to fails while saving uploaded files. by @ruifung in #2605
* Swap Websocket crate from ws to tungstenite, which is more maintained, supports async, and removes around 20 old duplicate versions of used crates by @dani-garcia
* Add a persistent volume check. by @BlackDex in #2501, #2507
* Adding "UserEnabled" and "CreatedAt" member to the json output of a User by @Lowaiz in #2523
* Bump lettre to 0.10.0-rc.7 by @paolobarbolini in #2531
* Small email sending code improvements by @paolobarbolini in #2532
* A little depreciation change by @binlab in #2556
* Fix identicons not always working by @BlackDex in #2571
* Small change in log-level for better debugging by @BlackDex in #2577
* Address inconsistency v{version} with and without a v in the version with most recent updates. by @nneul in #2595
* Bump openssl-src from 111.21.0+1.1.1p to 111.22.0+1.1.1q by @dependabot in #2599
* Add more clippy checks for better code/readability by @BlackDex in #2611
* Update deps, misc fixes and updates, small improvements on favicons and fix file-uploads by @BlackDex in #2543, #2568, #2619
-------------------------------------------------------------------
Fri Jun 3 06:27:20 UTC 2022 - Julian Röder <obs@masgalor.de>
- Update to version 1.25.0
* Update Rocket to 0.5 and async, and compile on stable by @dani-garcia in #2276
* Update async to prepare for main merge + several updates by @BlackDex in #2292
* Add IP address to missing/invalid password message for Sends by @jaen in #2313
* Add support for custom .env file path by @TinfoilSubmarine in #2315
* Added autofocus to pw field on admin login page by @taylorwmj in #2328
* Update login API code and update crates to fix CVE by @BlackDex in #2354
* Several updates and fixes by @BlackDex in #2379
* disable legacy X-XSS-Protection feature by @Wonderfall in #2380
* Fix building mimalloc on armv6 by @BlackDex in #2397
* Remove u2f implementation by @BlackDex in #2398
* Sync global_domains.json by @jjlin in #2400
* Add /api/{alive,now,version} endpoints by @jjlin in #2433
* Improve sync speed and updated dep. versions by @BlackDex in #2429
* Database connection init by @jjlin in #2440
* Fix upload limits and disable color logs by @BlackDex in #2480
-------------------------------------------------------------------
Mon Jan 31 13:59:35 UTC 2022 - Julian Röder <obs@masgalor.de>
- Update to version 1.24.0
* Add support for external icon services by @jjlin in #2158
* Add config option to set the HTTP redirect code for external icons by @jjlin in #2188
* Add support for legacy HTTP 301/302 redirects for external icons by @jjlin in #2218
* Add support for API keys by @jjlin in #2245
* Basic ratelimit for user login (including 2FA) and admin login by @dani-garcia in #2165
* Upgrade Feature-Policy to Permissions-Policy by @iamdoubz in #2228
* Set Expires header when caching responses by @RealOrangeOne in #2182
* Increase length limit for email token generation by @jjlin in #2257
* Small changes to icon log messages. by @BlackDex in #2170
* Bump rust version to mitigate CVE-2022-21658 by @dscottboggs in #2255
* Fixed #2151 by @BlackDex in #2169
* Fixed issue #2154 by @BlackDex in #2194
* Fix issue with Bitwarden CLI. by @BlackDex in #2197
* Fix emergency access invites for new users by @BlackDex in #2217
* Sync global_domains.json by @jjlin in #2156
* Sync global_domains.json by @jjlin in #2171
- Complete default config file
-------------------------------------------------------------------
Wed Dec 15 08:04:23 UTC 2021 - Julian Röder <obs@masgalor.de>
- Update to version 1.23.1
* Add email notifications for incomplete 2FA logins by @jjlin in #2067
* Fix conflict resolution logic for read_only and hide_passwords flags by @jjlin in #2073
* Fix missing encrypted key after emergency access reject by @jjlin in #2078
* Fix PostgreSQL migration by @jjlin in #2080
* Macro recursion decrease and other optimizations by @BlackDex in #2084
* Enabled trust-dns and some updates. by @BlackDex in #2125
-------------------------------------------------------------------
Thu Oct 21 10:10:34 UTC 2021 - Julian Röder <obs@masgalor.de>
- Update to version 1.23.0
* Added emergency access feature
* Can be disabled setting EMERGENCY_ACCESS_ALLOWED=false
* Added support for single organization policy
* Fixed incorrect webauthn origin
* Enforce personal ownership policy on imports
* Fixed issue using uppercase characters on emails
* Added organization bulk user management actions (reinvite/confirm/delete)
* Removed limmit that disabled sending ciphers with attachments
* Disabled enforcing of two factor organization policy on users that haven't been accepted yet
* Updated icon fetching to make it work on unicode websites
* Added database connection check to /alive endpoint
* Updated dependencies
-------------------------------------------------------------------
Tue Jul 27 07:55:26 UTC 2021 - Julian Röder <obs@masgalor.de>
- Update to version 1.22.2
* Enforce 2FA policy in organizations.
* Protect send routes against a possible path traversal attack.
* Disable show_password_hint by default, it still can be enabled in the admin panel or with environment variables.
* Disable user verification enforcement in Webauthn, which would make some users unable to login.
* Fix issue that wouldn't correctly delete Webauthn Key.
* Added Edge extension support for Webauthn.
-------------------------------------------------------------------
Thu Jul 1 07:54:24 UTC 2021 - Julian Röder <obs@masgalor.de>
- Update to version 1.22.1
* Added sends_allowed option to disable Send functionality.
* Added support for hiding the senders email address.
* Added Send options policy.
* Added support for password reprompt.
* Switched to the new attachment download API.
* Send download links use a token system to limit their downloads.
* Updates to the icon fetching.
* Support for webauthn.
* The admin page now shows which variables are overridden.
* Updated dependencies and docker base images.
* Now RSA keys are generated with the included openssl instead of calling to the openssl binary.
- Remove OpenSSL as dependency as it is no longer needed.
-------------------------------------------------------------------
Wed May 26 21:42:55 UTC 2021 - Julian Röder <obs@masgalor.de>
- Add support for mysql und postgresql
-------------------------------------------------------------------
Mon May 3 08:02:42 UTC 2021 - Julian Röder <obs@masgalor.de>
- Improves package relations on debian-based distributions
-------------------------------------------------------------------
Fri Apr 30 10:12:08 UTC 2021 - Julian Röder <obs@masgalor.de>
- Project renamed to Vaultwarden
- Update to version 1.21.0
* Add support for enabling auto-deletion of trash items after X days, disabled by default
* Set TRASH_AUTO_DELETE_DAYS to a positive value to enable this functionality
* You can also configure how often this process runs, using cron sintax with the variable TRASH_PURGE_SCHEDULE
* Updates to the icon fetching, making it more reliable in detecting icon types
* Updated admin page, improving version checks and SQLite backup feature
