head 1.6; access; symbols pkgsrc-2025Q1:1.5.0.2 pkgsrc-2025Q1-base:1.5 pkgsrc-2024Q3:1.3.0.6 pkgsrc-2024Q3-base:1.3 pkgsrc-2024Q2:1.3.0.4 pkgsrc-2024Q2-base:1.3 pkgsrc-2024Q1:1.3.0.2 pkgsrc-2024Q1-base:1.3 pkgsrc-2023Q2:1.1.0.4 pkgsrc-2023Q2-base:1.1 pkgsrc-2023Q1:1.1.0.2 pkgsrc-2023Q1-base:1.1; locks; strict; comment @# @; 1.6 date 2025.05.27.07.51.07; author adam; state dead; branches; next 1.5; commitid GkM3x2GzXC1abwWF; 1.5 date 2025.02.24.08.59.37; author adam; state Exp; branches; next 1.4; commitid Yg4nVfVPNhYUvHKF; 1.4 date 2024.12.01.00.04.58; author pin; state dead; branches; next 1.3; commitid BY5a6kukmL85iJzF; 1.3 date 2024.01.18.14.09.27; author hauke; state Exp; branches; next 1.2; commitid itZjs8zHaBNz9WUE; 1.2 date 2023.07.20.15.25.38; author hauke; state dead; branches; next 1.1; commitid YuGD2EJGNaoOnyxE; 1.1 date 2023.02.22.16.28.37; author hauke; state Exp; branches; next ; commitid eCfEY83VXxPnxxeE; desc @@ 1.6 log @vaultwarden: updated to 1.34.1 1.34.1 Fix admin diagnostics crash 1.34.0 Updated web-vault to v2025.5.0 Implemented new registration flow with email verification Added support for some feature flags (mutual TLS, attachment export, AnonAddy/SimpleLogin self host) @ text @$NetBSD: patch-Cargo.toml,v 1.5 2025/02/24 08:59:37 adam Exp $ Use vendored yubico crate. --- Cargo.toml.orig 2025-01-25 21:53:34.923846967 +0000 +++ Cargo.toml @@@@ -175,7 +175,7 @@@@ grass_compiler = { version = "0.13.4", d [patch.crates-io] # Patch yubico to remove duplicate crates of older versions -yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" } +yubico = { path = "../yubico-rs-00df14811f58155c0f02e3ab10f1570ed3e115c6" } # Strip debuginfo from the release builds # The symbols are the provide better panic traces @ 1.5 log @vaultwarden: updated to 1.33.2 1.33.2 Update workflows and enhance security Update crates & fix CVE-2025-24898 add bulk-access endpoint for collections Fix icon redirect not working on desktop Show assigned collections on member edit 1.33.1 This release has some minor issues fixed like: Icon's not working on the Desktop clients Invites not always working DUO settings not able to configure Manager rights Mobile client sync issues fixed 1.33.0 Security Fixes This release contains security fixes for the following advisories. And we strongly advice to update as soon as possible. GHSA-f7r5-w49x-gxm3 This vulnerability is only possible if you do not have an ADMIN_TOKEN configured and open links or pages you should not trust anyway. Ensure you have an ADMIN_TOKEN configured to keep your admin environment save. GHSA-h6cc-rc6q-23j4 This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. GHSA-j4h8-vch3-f797 This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though. Notable changes Updated web-vault to v2025.1.1 Added partial manage role support for collections Manager role is converted to a Custom role with either Manage All Collections or per collection. Admins and Owners probably want to check and verify if the rights are still correct. The OCI containers and binaries are signed via GitHub Attestations This allows you to verify an OCI image or even the vaultwarden binary located within the OCI image. @ text @d1 1 a1 1 $NetBSD$ @ 1.4 log @security/vaultwarden: update to 1.32.5 Update from 1.30.1 Too much to list here, please see https://github.com/dani-garcia/vaultwarden/releases Next time, please ask for help when having issues with a Rust package :) @ text @d1 1 a1 1 $NetBSD: patch-Cargo.toml,v 1.3 2024/01/18 14:09:27 hauke Exp $ d3 1 a3 1 Bump openssl version d5 1 a5 1 --- Cargo.toml.orig 2023-11-15 09:41:14.000000000 +0000 d7 1 a7 2 @@@@ -139,10 +139,10 @@@@ cookie = "0.16.2" cookie_store = "0.19.1" d9 4 a12 7 # Used by U2F, JWT and PostgreSQL -openssl = "=0.10.57" +openssl = "=0.10.60" # Set openssl-sys fixed to v0.9.92 to prevent building issues with musl, arm and 32bit pointer width # It will force add a dynamically linked library which prevents the build from being static -openssl-sys = "=0.9.92" +openssl-sys = "=0.9.96" d14 2 a15 2 # CLI argument parsing pico-args = "0.5.0" @ 1.3 log @Update security/vaultwarden to v1.30.1 Thanks go to the FreeBSD security/vaultwarden maintainer - I still don't know how to update the package without their dependency list... The openssl lib update patch is also from there. From upstream's changelog: Fix missing alpine tag during buildx bake by @@BlackDex in #4043 Disable autofill-v2 by @@BlackDex in #4056 Add Protected Actions Check by @@BlackDex in #4067 Update crates by @@BlackDex in #4074 Added passkey support, allowing the browser extensions to store and use your passkeys, make sure the extension is updated to version 2023.10.0 or newer for passkey support. Updated web vault to 2023.10.0. Fixed crashes in ARMv6 devices Fixed crashes when trying to create/edit a cipher in the mobile applications. Update Rust and Crates by @@BlackDex in #3808 update web-vault to v2023.8.2 by @@stefan0xC in #3821 Fix Login With Device without MasterPassword by @@BlackDex in #3831 Update GitHub Workflow by @@BlackDex in #3910 Fix arm builds by @@BlackDex in #3911 Fix typos by @@tuhanayim in #3959 csp: rename anonaddy.com to addy.io by @@stefan0xC in #3950 filter handlebars logs by @@stefan0xC in #3859 Remove unnecessary variable clone by @@mvalois in #3981 README.md: Fix grammar nit by @@AndreasHGK in #3965 Fix small issues by @@BlackDex in #3964 Adds LastActive on /admin/users API route by @@mvalois in #3951 Reopen log file on SIGHUP by @@tobiasmboelz in #3909 Fix External ID not set during DC Sync by @@BlackDex in #3804 New config option disable email change by @@admav in #3986 2FA Confirmation Code Email subject line change to fix triggering Google spam blocker by @@aureateflux in #3572 Implement cipher key encryption by @@dani-garcia in #3990 Container building changes by @@BlackDex in #3958 Fix issue with MariaDB/MySQL migrations by @@BlackDex in #3994 feat: Working passkeys storage by @@GeekCornerGH in #4025 ci: add trivy workflow by @@mightyBroccoli in #3997 Fix importing Bitwarden exports by @@BlackDex in #4030 Fix .env.template file by @@BlackDex in #3734 Fix UserOrg status during LDAP Import by @@BlackDex in #3740 Update images to Bookworm and PQ15 and Rust v1.71 by @@BlackDex in #3573 Implement "login with device" by @@quexten in #3592 chore: Bump web vault to v2023.7.1 and bump Rust by @@GeekCornerGH in #3769 Optimized Favicon downloading by @@BlackDex in #3751 add UserDecryptionOptions to login response by @@stefan0xC in #3813 add new secretsmanager plan for web-v2023.8.x by @@stefan0xC in #3797 Allow Authorization header for Web Sockets by @@BlackDex in #3806 Update admin interface by @@BlackDex in #3730 Fix Org API Key generation on PosgreSQL by @@BlackDex in #3678 feat: Add support for forwardemail by @@GeekCornerGH in #3686 Fix some external_id issues by @@BlackDex in #3690 Remove debug code during attachment download by @@BlackDex in #3704 WebSocket notifications now work via the default HTTP port. No need for WEBSOCKET_ENABLED and a separate port anymore. The proxy examples still need to be updated for this. Support for the old websockets port 3012 will remain for the time being. Mobile Client push notification support, see #3304 thanks @@GeekCornerGH! Web-Vault updated to v2023.5.0 (v2023.5.1 does not add any improvements for us) The latest Bitwarden Directory Connector can be used now (v2022.11.0) Storing passkeys is supported, though the clients are not yet released. So, it might be we need to make some changes once they are released. See: #3593, thanks @@GeekCornerGH! @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @Update security/vaultwarden to v1.28.1 Note the license change from gnu-gpl-v3 to gnu-agpl-v3. There is at this time no update to the current 1.29.0, because o upstream is pulling in a non-release crate from github during build, again, and o pkgsrc has no workable way to create an updated "cargo-depends.mk". The make CARGO_ARGS="build --release" build described in the pkgsrc guide 21.4.4 does not work, and I ended up cribbing the cargo list from the FreeBSD package (thanks, guys!). Upstream's change list: 1.28.1 What's Changed Decode knowndevice X-Request-Email as base64url with no padding by @@jjlin in #3376 Fix abort on password reset mail error by @@BlackDex in #3390 support /users//invite/resend admin api by @@nikolaevn in #3397 always return KdfMemory and KdfParallelism by @@stefan0xC in #3398 Fix sending out multiple websocket notifications by @@BlackDex in #3405 Revert setcap, update rust and crates by @@BlackDex in #3403 1.28.0 Major changes The project has changed license to the AGPLv3. If you're hosting a Vaultwarden instance, you now have a requirement to distribute the Vaultwarden source code to your users if they request it. The source code, and any changes you have made, need to be under the same AGPLv3 license. If you simply use our code without modifications, just pointing them to this repository is enough. Added support for Argon2 key derivation on the clients. To enable it for your account, make sure all your clients are using version v2023.2.0 or greater, then go to account settings > security > keys, and change the algorithm from PBKDF2 to Argon2id. Added support for Argon2 key derivation for the admin page token. To update your admin token to use it, check the wiki New alternative registries for the docker images are available (In BETA for now): Github Container Registry: https://ghcr.io/dani-garcia/vaultwarden Quay: https://quay.io/vaultwarden/server What's Changed Remove patched multer-rs by @@manofthepeace in #2968 Removed unsafe-inline JS from CSP and other fixes by @@BlackDex in #3058 Validate YUBICO_SERVER string (#3003) by @@BlackDex in #3059 Log message to stderr if LOG_FILE is not writable by @@pjsier in #3061 Update WebSocket Notifications by @@BlackDex in #3076 Optimize config loading messages by @@BlackDex in #3092 Percent-encode org_name in links by @@am97 in #3093 Fix failing large note imports by @@BlackDex in #3087 Change text/plain API responses to application/json by @@jjlin in #3124 Remove shrink-to-fit=no from viewport-meta-tag by @@redwerkz in #3126 Update dependencies and MSRV by @@BlackDex in #3128 Resolve uninlined_format_args clippy warnings by @@BlackDex in #3065 Update Rust to v1.66.1 to patch CVE by @@BlackDex in #3136 Fix remaining inline format by @@BlackDex in #3130 Use more modern meta tag for charset encoding by @@redwerkz in #3131 fix (2fa.directory): Allow api.2fa.directory, and remove 2fa.directory by @@GeekCornerGH in #3132 Optimize CipherSyncData for very large vaults by @@BlackDex in #3133 Add avatar color support by @@BlackDex in #3134 Add MFA icon to org member overview by @@BlackDex in #3135 Minor refactoring concering user.setpassword by @@sirux88 in #3139 Validate note sizes on key-rotation. by @@BlackDex in #3157 Update KDF Configuration and processing by @@BlackDex in #3163 Remove arm32v6-specific tag by @@jjlin in #3164 Re-License Vaultwarden to AGPLv3 by @@BlackDex in #2561 Admin password reset by @@sirux88 in #3116 "Spell-Jacking" mitigation ~ prevent sensitive data leak \u2026 by @@dlehammer in #3145 Allow listening on privileged ports (below 1024) as non-root by @@jjlin in #3170 don't nullify key when editing emergency access by @@stefan0xC in #3215 Fix trailing slash not getting removed from domain by @@BlockListed in #3228 Generate distinct log messages for regex vs. IP blacklisting. by @@kpfleming in #3231 allow editing/unhiding by group by @@farodin91 in #3108 Fix Javascript issue on non sqlite databases by @@BlackDex in #3167 add argon2 kdf fields by @@tessus in #3210 add support for system mta though sendmail by @@soruh in #3147 Updated Rust and crates by @@BlackDex in #3234 docs: add build status badge in readme by @@R3DRUN3 in #3245 Validate all needed fields for client API login by @@BlackDex in #3251 Fix Organization delete when groups are configured by @@BlackDex in #3252 Fix Collection Read Only access for groups by @@Misterbabou in #3254 Make the admin session lifetime adjustable by @@mittler-works in #3262 Add function to fetch user by email address by @@mittler-works in #3263 Fix vault item display in org vault view by @@jjlin in #3277 Add confirmation for removing 2FA and deauthing sessions in admin panel by @@JCBird1012 in #3282 Some Admin Interface updates by @@BlackDex in #3288 Fix the web-vault v2023.2.0 API calls by @@BlackDex in #3281 Fix confirmation for removing 2FA and deauthing sessions in admin panel by @@dpinse in #3290 Admin token Argon2 hashing support by @@BlackDex in #3289 Add HEAD routes to avoid spurious error messages by @@jjlin in #3307 Fix web-vault Member UI show/edit/save by @@BlackDex in #3315 Upd Crates, Rust, MSRV, GHA and remove Backtrace by @@BlackDex in #3310 Add support for /api/devices/knowndevice with HTTP header params by @@jjlin in #3329 Update Rust, MSRV and Crates by @@BlackDex in #3348 Merge ClientIp with Headers. by @@BlackDex in #3332 add endpoints to bulk delete collections/groups by @@stefan0xC in #3354 Add support for Quay.io and GHCR.io as registries by @@BlackDex in #3363 Some small fixes and updates by @@BlackDex in #3366 Update web vault to v2023.3.0 by @@dani-garcia 1.27.0 New features Event logs for organizations With this feature enabled, actions occurring inside an organization will be recorded in a log, viewable by organization admins and owners. Check the official documentation to learn more: https://bitwarden.com/help/event-logs/ (Note that the Public API is not yet implemented, so the events are only viewable in the Web Vault) To enable this feature, set ORG_EVENTS_ENABLED=true. By default all events will be stored indefinitely, if you want to limit that, you can use the EVENTS_DAYS_RETAIN option. You can also tune the cleanup schedule with EVENT_CLEANUP_SCHEDULE. Group support (beta) Enables the creation and use of groups inside an organization. At the moment this is in beta because there are some known issues (#2989). Still, the more this feature is tested, the faster we will be able to stabilize it. To enable this feature, set ORG_GROUPS_ENABLED=true, make sure to make proper backups of your instance before hand. What's Changed Group support | applied .diff by @@MFijak in #2846 Add Organizational event logging feature by @@BlackDex in #2868 Updated web vault to 2022.12.0 by @@dani-garcia Update diesel to 2.0.2 by @@dani-garcia in #2724 Limit Cipher Note encrypted string size by @@BlackDex in #2945 fix invitations of new users when mail is disabled by @@stefan0xC in #2773 attach images in email by @@stefan0xC in #2784 allow registration without invite link by @@stefan0xC in #2799 Fix master password hint update not working. by @@BlackDex in #2834 Sync global_domains.json by @@jjlin in #2840 verify email on registration by invite by @@stefan0xC in #2804 Take ROCKET_ADDRESS into account in the Docker healthcheck by @@jjlin in #2844 Update github workflows by @@BlackDex in #2852 feat: Bump web-vault to v2022.10.1 by @@GeekCornerGH in #2859 Update Rust version, deps and workflow by @@BlackDex in #2888 Add /devices/knowndevice endpoint by @@BlackDex in #2893 fix: removed a double space by @@GeekCornerGH in #2894 Support Org Export for v2022.11 clients by @@BlackDex in #2899 Use constant size generic parameter for random bytes generation by @@samueltardieu in #2910 Update config comment to reflect rfc8314. by @@skid9000 in #2911 Set "Bypass admin page security" as read-only by @@BlackDex in #2918 Fully remove DuckDuckGo email service. by @@BlackDex in #2919 Added missing register endpoint to identity by @@BlackDex in #2920 Prevent DNS leak when icon regex is configured by @@BlackDex in #2921 Update settings description by @@karbobc in #2928 allow managers to set groups of a collection by @@stefan0xC in #2933 Update Vaultwarden Logo's by @@BlackDex in #2940 check if sqlite folder exists by @@stefan0xC in #2873 redirect to admin login page when forward fails by @@stefan0xC in #2886 Cleanups and Fixes for Emergency Access by @@BlackDex in #2936 Update dependencies for Rust and Admin interface. by @@BlackDex in #2941 Fix admin repost warning. by @@BlackDex in #2953 Add dev-only query logging support by @@BlackDex in #2954 Fix managers and groups link by @@BlackDex in #2947 use a custom 404 page by @@stefan0xC in #2948 Increase privacy of masked config by @@BlackDex in #2963 Improve comments by @@tessus in #2969 use black favicon for /admin by @@tessus in #2970 Remove ctrlc crate and some updates by @@BlackDex in #2971 Fix org export (again) by @@BlackDex in #2973 Revert collection queries back to left_join by @@BlackDex in #2976 Fix recover-2fa not working. by @@BlackDex in #2994 Disable groups by default and Some optimizations by @@BlackDex in #2995 Fix a panic during Yubikey register/login by @@BlackDex in #3006 @ text @d1 1 a1 1 $NetBSD: patch-Cargo.toml,v 1.1 2023/02/22 16:28:37 hauke Exp $ d3 1 a3 2 Upstream tries to pull a patched version from a git repo during build, which does not work in a pkgsrc build. d5 1 a5 1 --- Cargo.toml.orig 2022-12-18 19:37:01.000000000 +0000 d7 2 a8 3 @@@@ -152,11 +152,8 @@@@ semver = "1.0.14" # Mainly used for the musl builds, since the default musl malloc is very slow mimalloc = { version = "0.1.32", features = ["secure"], default-features = false, optional = true } d10 7 a16 7 -[patch.crates-io] -# Using a patched version of multer-rs (Used by Rocket) to fix attachment/send file uploads -# Issue: https://github.com/dani-garcia/vaultwarden/issues/2644 -# Patch: https://github.com/BlackDex/multer-rs/commit/477d16b7fa0f361b5c2a5ba18a5b28bec6d26a8a -multer = { git = "https://github.com/BlackDex/multer-rs", rev = "477d16b7fa0f361b5c2a5ba18a5b28bec6d26a8a" } +# async parser for multipart/form-data content-type +multer = "2.0.4" d18 2 a19 2 # Strip debuginfo from the release builds # Also enable thin LTO for some optimizations @ 1.1 log @Upgrade security/vaultwarden to v1.27 From upstream's excuse for a changelog: 1.27.0 Latest New features Event logs for organizations With this feature enabled, actions occurring inside an organization will be recorded in a log, viewable by organization admins and owners. Check the official documentation to learn more: https://bitwarden.com/help/event-logs/ (Note that the Public API is not yet implemented, so the events are only viewable in the Web Vault) To enable this feature, set ORG_EVENTS_ENABLED=true. By default all events will be stored indefinitely, if you want to limit that, you can use the EVENTS_DAYS_RETAIN option. You can also tune the cleanup schedule with EVENT_CLEANUP_SCHEDULE. Group support (beta) Enables the creation and use of groups inside an organization. At the moment this is in beta because there are some known issues (#2989). Still, the more this feature is tested, the faster we will be able to stabilize it. To enable this feature, set ORG_GROUPS_ENABLED=true, make sure to make proper backups of your instance before hand. What's Changed Group support | applied .diff by @@MFijak in #2846 Add Organizational event logging feature by @@BlackDex in #2868 Updated web vault to 2022.12.0 by @@dani-garcia Update diesel to 2.0.2 by @@dani-garcia in #2724 Limit Cipher Note encrypted string size by @@BlackDex in #2945 fix invitations of new users when mail is disabled by @@stefan0xC in #2773 attach images in email by @@stefan0xC in #2784 allow registration without invite link by @@stefan0xC in #2799 Fix master password hint update not working. by @@BlackDex in #2834 Sync global_domains.json by @@jjlin in #2840 verify email on registration by invite by @@stefan0xC in #2804 Take ROCKET_ADDRESS into account in the Docker healthcheck by @@jjlin in #2844 Update github workflows by @@BlackDex in #2852 feat: Bump web-vault to v2022.10.1 by @@GeekCornerGH in #2859 Update Rust version, deps and workflow by @@BlackDex in #2888 Add /devices/knowndevice endpoint by @@BlackDex in #2893 fix: removed a double space by @@GeekCornerGH in #2894 Support Org Export for v2022.11 clients by @@BlackDex in #2899 Use constant size generic parameter for random bytes generation by @@samueltardieu in #2910 Update config comment to reflect rfc8314. by @@skid9000 in #2911 Set "Bypass admin page security" as read-only by @@BlackDex in #2918 Fully remove DuckDuckGo email service. by @@BlackDex in #2919 Added missing register endpoint to identity by @@BlackDex in #2920 Prevent DNS leak when icon regex is configured by @@BlackDex in #2921 Update settings description by @@karbobc in #2928 allow managers to set groups of a collection by @@stefan0xC in #2933 Update Vaultwarden Logo's by @@BlackDex in #2940 check if sqlite folder exists by @@stefan0xC in #2873 redirect to admin login page when forward fails by @@stefan0xC in #2886 Cleanups and Fixes for Emergency Access by @@BlackDex in #2936 Update dependencies for Rust and Admin interface. by @@BlackDex in #2941 Fix admin repost warning. by @@BlackDex in #2953 Add dev-only query logging support by @@BlackDex in #2954 Fix managers and groups link by @@BlackDex in #2947 use a custom 404 page by @@stefan0xC in #2948 Increase privacy of masked config by @@BlackDex in #2963 Improve comments by @@tessus in #2969 use black favicon for /admin by @@tessus in #2970 Remove ctrlc crate and some updates by @@BlackDex in #2971 Fix org export (again) by @@BlackDex in #2973 Revert collection queries back to left_join by @@BlackDex in #2976 Fix recover-2fa not working. by @@BlackDex in #2994 Disable groups by default and Some optimizations by @@BlackDex in #2995 Fix a panic during Yubikey register/login by @@BlackDex in #3006 1.26.0 What's Changed Updated web vault to v2022.10.0 Fix uploads from mobile clients (and dep updates) by @@BlackDex in #2675 Update deps and Alpine image by @@BlackDex in #2665 Add support for send v2 API endpoints by @@BlackDex in #2756 External Links | Optimize behavior by @@Fvbor in #2693 Add Org user revoke feature by @@BlackDex in #2698 Change the handling of login errors. by @@BlackDex in #2729 Added support for web-vault v2022.9 by @@BlackDex in #2732 add not_found catcher for 404 errors by @@stefan0xC in #2768 Fix issue 2737, unable to create org by @@BlackDex in #2738 Rename/Fix revoke/restore endpoints by @@BlackDex in #2739 Update CSP for DuckDuckGo email forwarding by @@jjlin in #2812 check if data folder is a writable directory by @@stefan0xC in #2811 Update build workflow by @@BlackDex in #2744 fix: tooltip typo by @@djbrownbear in #2746 Update libraries and Rust version by @@BlackDex in #2758 Fix organization vault export by @@BlackDex in #2765 allow the removal of non-confirmed owners by @@stefan0xC in #2772 v2022.9.2 expects a json response while registering by @@stefan0xC in #2803 make invitation expiration time configurable by @@stefan0xC in #2805 return more descriptive JWT validation messages by @@stefan0xC in #2806 Add CreationDate to cipher response JSON by @@jjlin in #2813 fix link of license badge by @@stefan0xC in #2816 Thanks to pin@@ for the workaround to patch a release crate. @ text @d1 1 a1 1 $NetBSD$ @