mafyuh/iac
1
0
Fork 0
Code Issues 5 Pull requests 8 Projects 1 Wiki Activity Actions

⬆️ Update vaultwarden/server Docker tag to v1.33.0 #709

Merged
mafyuh merged 1 commit from renovate/vaultwarden-server-1.x into main 2025-01-25 15:15:25 -05:00
Conversation 1 Commits 1 Files changed 1 +1 -1
renovatebot commented 2025-01-25 15:01:19 -05:00
Collaborator
Copy link

This PR contains the following updates:

Package Update Change
vaultwarden/server minor 1.32.7 -> 1.33.0

Release Notes

dani-garcia/vaultwarden (vaultwarden/server)

v1.33.0

Compare Source

Security Fixes

This release contains security fixes for the following advisories.
And we strongly advice to update as soon as possible.

  • GHSA-f7r5-w49x-gxm3
    This vulnerability is only possible if you do not have an ADMIN_TOKEN configured and open links or pages you should not trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your admin environment save.
  • GHSA-h6cc-rc6q-23j4
    This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email.
  • GHSA-j4h8-vch3-f797
    This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.

Notable changes

  • Updated web-vault to v2025.1.1
  • Added partial manage role support for collections
  • Manager role is converted to a Custom role with either Manage All Collections or per collection.
    Admins and Owners probably want to check and verify if the rights are still correct.
  • The OCI containers and binaries are signed via GitHub Attestations
    This allows you to verify an OCI image or even the vaultwarden binary located within the OCI image.

These vulnerabilities affects

What's Changed

New Contributors

Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.32.7...1.33.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [vaultwarden/server](https://github.com/dani-garcia/vaultwarden) | minor | `1.32.7` -> `1.33.0` | --- ### Release Notes <details> <summary>dani-garcia/vaultwarden (vaultwarden/server)</summary> ### [`v1.33.0`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0) [Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.32.7...1.33.0) #### Security Fixes This release contains security fixes for the following advisories. And we strongly advice to update as soon as possible. - [GHSA-f7r5-w49x-gxm3](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-f7r5-w49x-gxm3) This vulnerability is only possible if you do not have an `ADMIN_TOKEN` configured and open links or pages you should not trust anyway. Ensure you have an `ADMIN_TOKEN` configured to keep your admin environment save. - [GHSA-h6cc-rc6q-23j4](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h6cc-rc6q-23j4) This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. - [GHSA-j4h8-vch3-f797](https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797) This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though. #### Notable changes - Updated web-vault to v2025.1.1 - Added partial *manage* role support for collections - Manager role is converted to a Custom role with either Manage All Collections or per collection. Admins and Owners probably want to check and verify if the rights are still correct. - The OCI containers and binaries are *signed* via [GitHub Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli) This allows you to verify an OCI image or even the `vaultwarden` binary located within the OCI image. These vulnerabilities affects #### What's Changed - Add `inline-menu-positioning-improvements` feature flag by [@&#8203;Ephemera42](https://github.com/Ephemera42) in https://github.com/dani-garcia/vaultwarden/pull/5313 - Fix issues when uri match is a string by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5332 - Add TOTP delete endpoint by [@&#8203;Timshel](https://github.com/Timshel) in https://github.com/dani-garcia/vaultwarden/pull/5327 - fix group issue in send_invite by [@&#8203;stefan0xC](https://github.com/stefan0xC) in https://github.com/dani-garcia/vaultwarden/pull/5321 - Update crates and GHA by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5346 - Refactor the uri match fix and fix ssh-key sync by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5339 - Add partial role support for manager only using web-vault v2024.12.0 by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5219 - Fix issue with key-rotate by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5348 - fix manager role in admin users overview by [@&#8203;stefan0xC](https://github.com/stefan0xC) in https://github.com/dani-garcia/vaultwarden/pull/5359 - Prevent new users/members to be stored in db when invite fails by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5350 - Update crates and web-vault to v2025.1.0 by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5368 - Allow building with Rust v1.84.0 or newer by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5371 - rename membership and adopt newtype pattern by [@&#8203;stefan0xC](https://github.com/stefan0xC) in https://github.com/dani-garcia/vaultwarden/pull/5320 - build: raise msrv (1.83.0) rust toolchain (1.84.0) by [@&#8203;tessus](https://github.com/tessus) in https://github.com/dani-garcia/vaultwarden/pull/5374 - Fix an issue with login with device by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5379 - refactor: replace static with const for global constants by [@&#8203;Integral-Tech](https://github.com/Integral-Tech) in https://github.com/dani-garcia/vaultwarden/pull/5260 - Add Attestations for containers and artifacts by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5378 - Fix version detection on bake by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5382 - Simplify container image attestation by [@&#8203;dfunkt](https://github.com/dfunkt) in https://github.com/dani-garcia/vaultwarden/pull/5387 - improve admin invite by [@&#8203;stefan0xC](https://github.com/stefan0xC) in https://github.com/dani-garcia/vaultwarden/pull/5403 - Add manage role for collections and groups by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5386 - update web-vault to v2025.1.1 and add /api/devices by [@&#8203;stefan0xC](https://github.com/stefan0xC) in https://github.com/dani-garcia/vaultwarden/pull/5422 - Security fixes by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5438 - only validate SMTP_FROM if necessary by [@&#8203;stefan0xC](https://github.com/stefan0xC) in https://github.com/dani-garcia/vaultwarden/pull/5442 #### New Contributors - [@&#8203;Ephemera42](https://github.com/Ephemera42) made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/5313 - [@&#8203;Integral-Tech](https://github.com/Integral-Tech) made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/5260 **Full Changelog**: https://github.com/dani-garcia/vaultwarden/compare/1.32.7...1.33.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS45MC4zIiwidXBkYXRlZEluVmVyIjoiMzkuOTAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
renovatebot added 1 commit 2025-01-25 15:01:20 -05:00
⬆️ Update vaultwarden/server Docker tag to v1.33.0
All checks were successful
Lint on PR / Lint YAML files (pull_request) Successful in 6s
Details
Ansible Deploy to Hosts / deploy (pull_request) Successful in 38s
Details
57b8c88d71
mafyuh merged commit 57b8c88d71 into main 2025-01-25 15:15:25 -05:00
mafyuh deleted branch renovate/vaultwarden-server-1.x 2025-01-25 15:15:26 -05:00
forgejo-actions commented 2025-01-25 15:16:04 -05:00
First-time contributor
Copy link

Ansible Deployment Output


PLAY [Deploy application] ******************************************************

TASK [Gathering Facts] *********************************************************
ok: [arm.lan]

TASK [Ensure the repository is up-to-date] *************************************
changed: [arm.lan]

TASK [Display git pull output] *************************************************
ok: [arm.lan] => {
    "git_pull_output.stdout_lines": [
        "Updating ccee29e..57b8c88",
        "Fast-forward",
        " docker/arm/docker-compose.yml  | 2 +-",
        " docker/arrs/docker-compose.yml | 2 +-",
        " 2 files changed, 2 insertions(+), 2 deletions(-)"
    ]
}

TASK [Read secret mapping] *****************************************************
ok: [arm.lan]

TASK [Parse secret mapping] ****************************************************
ok: [arm.lan]

TASK [Set env_variables] *******************************************************
ok: [arm.lan]

TASK [Write .env file to target host] ******************************************
ok: [arm.lan]

TASK [Restart services using Docker Compose] ***********************************
changed: [arm.lan]

TASK [Run Docker Command] ******************************************************
changed: [arm.lan]

TASK [Display Docker Output] ***************************************************
ok: [arm.lan] => {
    "docker_output.stdout_lines": [
        "NAME                  IMAGE                                                                                                   COMMAND                  SERVICE               CREATED             STATUS                           PORTS",
        "arm-db-1              mysql:8                                                                                                 \"docker-entrypoint.s…\"   db                    3 months ago        Up 11 days                       3306/tcp, 33060/tcp",
        "arm-postgres-1        postgres:16-alpine                                                                                      \"docker-entrypoint.s…\"   postgres              2 weeks ago         Up 11 days                       5432/tcp",
        "arm-wiki-db-1         postgres:15-alpine                                                                                      \"docker-entrypoint.s…\"   wiki-db               3 months ago        Up 11 days                       5432/tcp",
        "fail2ban              crazymax/fail2ban:1.1.0                                                                                 \"/entrypoint.sh fail…\"   fail2ban              3 months ago        Up 11 days (healthy)             ",
        "forgejo               codeberg.org/forgejo/forgejo:10.0.0                                                                     \"/usr/bin/entrypoint…\"   server                9 days ago          Up 14 hours                      0.0.0.0:23->22/tcp, [::]:23->22/tcp, 0.0.0.0:3002->3000/tcp, [::]:3002->3000/tcp",
        "gotify                gotify/server-arm7:2.6.1                                                                                \"./gotify-app\"           gotify                2 months ago        Up 11 days (healthy)             0.0.0.0:9008->80/tcp, [::]:9008->80/tcp",
        "jellyseerr            fallenbagel/jellyseerr:2.3.0                                                                            \"/sbin/tini -- pnpm …\"   jellyseerr            9 days ago          Up 9 days                        0.0.0.0:5055->5055/tcp, :::5055->5055/tcp",
        "linkstack             linkstackorg/linkstack@sha256:ad2ec7ffa69f4b04367313d1b95566bb00955b9670eb5467fd4fab39dd1f53c1          \"docker-entrypoint.sh\"   linkstack             3 months ago        Up 11 days (healthy)             0.0.0.0:8005->80/tcp, [::]:8005->80/tcp, 0.0.0.0:8006->443/tcp, [::]:8006->443/tcp",
        "linkwarden            ghcr.io/linkwarden/linkwarden:v2.9.3                                                                    \"docker-entrypoint.s…\"   linkwarden            11 days ago         Up 11 days (healthy)             0.0.0.0:3005->3000/tcp, [::]:3005->3000/tcp",
        "n8n                   ghcr.io/n8n-io/n8n:1.76.1                                                                               \"tini -- /docker-ent…\"   n8n                   About an hour ago   Up About an hour                 0.0.0.0:5678->5678/tcp, :::5678->5678/tcp",
        "nginx-proxy-manager   jc21/nginx-proxy-manager:2.12.2                                                                         \"/init\"                  nginx-proxy-manager   3 weeks ago         Up 11 days                       0.0.0.0:80-81->80-81/tcp, :::80-81->80-81/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp",
        "syncthing             ghcr.io/linuxserver/syncthing@sha256:31da8ef3b45a2962f8bebab22d6ef23d7387a26def87482be810602352b276be   \"/init\"                  syncthing             13 days ago         Up 11 days                       0.0.0.0:8384->8384/tcp, 0.0.0.0:21027->21027/udp, :::8384->8384/tcp, :::21027->21027/udp, 0.0.0.0:22000->22000/tcp, :::22000->22000/tcp, 0.0.0.0:22000->22000/udp, :::22000->22000/udp",
        "uptime-kuma           louislam/uptime-kuma:1.23.16                                                                            \"/usr/bin/dumb-init …\"   uptime-kuma           5 weeks ago         Up 11 days (healthy)             0.0.0.0:3001->3001/tcp, :::3001->3001/tcp",
        "vaultwarden           vaultwarden/server:1.33.0                                                                               \"/start.sh\"              vaultwarden           6 seconds ago       Up 1 second (health: starting)   0.0.0.0:8989->80/tcp, [::]:8989->80/tcp",
        "wiki                  ghcr.io/requarks/wiki:2.5.305                                                                           \"docker-entrypoint.s…\"   wiki                  3 months ago        Up 11 days                       3443/tcp, 0.0.0.0:1234->3000/tcp, [::]:1234->3000/tcp"
    ]
}

PLAY RECAP *********************************************************************
arm.lan                    : ok=10   changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
### Ansible Deployment Output ``` PLAY [Deploy application] ****************************************************** TASK [Gathering Facts] ********************************************************* ok: [arm.lan] TASK [Ensure the repository is up-to-date] ************************************* changed: [arm.lan] TASK [Display git pull output] ************************************************* ok: [arm.lan] => { "git_pull_output.stdout_lines": [ "Updating ccee29e..57b8c88", "Fast-forward", " docker/arm/docker-compose.yml | 2 +-", " docker/arrs/docker-compose.yml | 2 +-", " 2 files changed, 2 insertions(+), 2 deletions(-)" ] } TASK [Read secret mapping] ***************************************************** ok: [arm.lan] TASK [Parse secret mapping] **************************************************** ok: [arm.lan] TASK [Set env_variables] ******************************************************* ok: [arm.lan] TASK [Write .env file to target host] ****************************************** ok: [arm.lan] TASK [Restart services using Docker Compose] *********************************** changed: [arm.lan] TASK [Run Docker Command] ****************************************************** changed: [arm.lan] TASK [Display Docker Output] *************************************************** ok: [arm.lan] => { "docker_output.stdout_lines": [ "NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS", "arm-db-1 mysql:8 \"docker-entrypoint.s…\" db 3 months ago Up 11 days 3306/tcp, 33060/tcp", "arm-postgres-1 postgres:16-alpine \"docker-entrypoint.s…\" postgres 2 weeks ago Up 11 days 5432/tcp", "arm-wiki-db-1 postgres:15-alpine \"docker-entrypoint.s…\" wiki-db 3 months ago Up 11 days 5432/tcp", "fail2ban crazymax/fail2ban:1.1.0 \"/entrypoint.sh fail…\" fail2ban 3 months ago Up 11 days (healthy) ", "forgejo codeberg.org/forgejo/forgejo:10.0.0 \"/usr/bin/entrypoint…\" server 9 days ago Up 14 hours 0.0.0.0:23->22/tcp, [::]:23->22/tcp, 0.0.0.0:3002->3000/tcp, [::]:3002->3000/tcp", "gotify gotify/server-arm7:2.6.1 \"./gotify-app\" gotify 2 months ago Up 11 days (healthy) 0.0.0.0:9008->80/tcp, [::]:9008->80/tcp", "jellyseerr fallenbagel/jellyseerr:2.3.0 \"/sbin/tini -- pnpm …\" jellyseerr 9 days ago Up 9 days 0.0.0.0:5055->5055/tcp, :::5055->5055/tcp", "linkstack linkstackorg/linkstack@sha256:ad2ec7ffa69f4b04367313d1b95566bb00955b9670eb5467fd4fab39dd1f53c1 \"docker-entrypoint.sh\" linkstack 3 months ago Up 11 days (healthy) 0.0.0.0:8005->80/tcp, [::]:8005->80/tcp, 0.0.0.0:8006->443/tcp, [::]:8006->443/tcp", "linkwarden ghcr.io/linkwarden/linkwarden:v2.9.3 \"docker-entrypoint.s…\" linkwarden 11 days ago Up 11 days (healthy) 0.0.0.0:3005->3000/tcp, [::]:3005->3000/tcp", "n8n ghcr.io/n8n-io/n8n:1.76.1 \"tini -- /docker-ent…\" n8n About an hour ago Up About an hour 0.0.0.0:5678->5678/tcp, :::5678->5678/tcp", "nginx-proxy-manager jc21/nginx-proxy-manager:2.12.2 \"/init\" nginx-proxy-manager 3 weeks ago Up 11 days 0.0.0.0:80-81->80-81/tcp, :::80-81->80-81/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp", "syncthing ghcr.io/linuxserver/syncthing@sha256:31da8ef3b45a2962f8bebab22d6ef23d7387a26def87482be810602352b276be \"/init\" syncthing 13 days ago Up 11 days 0.0.0.0:8384->8384/tcp, 0.0.0.0:21027->21027/udp, :::8384->8384/tcp, :::21027->21027/udp, 0.0.0.0:22000->22000/tcp, :::22000->22000/tcp, 0.0.0.0:22000->22000/udp, :::22000->22000/udp", "uptime-kuma louislam/uptime-kuma:1.23.16 \"/usr/bin/dumb-init …\" uptime-kuma 5 weeks ago Up 11 days (healthy) 0.0.0.0:3001->3001/tcp, :::3001->3001/tcp", "vaultwarden vaultwarden/server:1.33.0 \"/start.sh\" vaultwarden 6 seconds ago Up 1 second (health: starting) 0.0.0.0:8989->80/tcp, [::]:8989->80/tcp", "wiki ghcr.io/requarks/wiki:2.5.305 \"docker-entrypoint.s…\" wiki 3 months ago Up 11 days 3443/tcp, 0.0.0.0:1234->3000/tcp, [::]:1234->3000/tcp" ] } PLAY RECAP ********************************************************************* arm.lan : ok=10 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ```
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
ansible

   
bug

Something is not working

  
docker

   
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
kubernetes

   
opentofu

   
packer

   
question

More information is needed

  
renovate

   
wontfix

This won't be fixed

No labels
ansible
bug
docker
duplicate
enhancement
help wanted
invalid
kubernetes
opentofu
packer
question
renovate
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: mafyuh/iac#709
No description provided.
Delete branch "renovate/vaultwarden-server-1.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?