[24.05] vaultwarden: 1.30.5 -> 1.31.0 -> 1.32.0

[SuperSandro2000]

Description of changes

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.0

Security Fixes
This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

CVE-2024-39924 Fixed via dani-garcia/vaultwarden#4715
CVE-2024-39925 Fixed via dani-garcia/vaultwarden#4837
CVE-2024-39926 Fixed via dani-garcia/vaultwarden#4737

1.31.0 contains breaking changes https://github.com/dani-garcia/vaultwarden/releases/tag/1.31.0 . I am not going to attempt to backport any changes because of the size of the patches.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[dotlambda]

We don't want to backport the webvault bumps?

[SuperSandro2000]

yeah, we do. I am currently trying to get a newer rust

[dotlambda]

I didn't realize we need a newer Rust. In that case we might just want to apply the security fixes as patches.

Also, please use git cherry-pick -x.

[SuperSandro2000]

I didn't realize we need a newer Rust. In that case we might just want to apply the security fixes as patches.

As already mentioned, I am not going to invest any time into such activities.

Also, please use git cherry-pick -x.

To late now. Also the information in there would be incorrect anyway, since I cherry-picked from my forked branches.

---

@ofborg build vaultwarden

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/several-information-leaks-in-vaultwarden-1-32-0/50500/1

[dotlambda]

To late now. Also the information in there would be incorrect anyway, since I cherry-picked from my forked branches.

Just cherry-pick from master instead. If you want, I can open my own PR.

[SuperSandro2000]

Just cherry-pick from master instead. If you want, I can open my own PR.

yeah, whatever. Just did it.

[dotlambda]

Thank you!

[dotlambda]

@ofborg test vaultwarden

[SuperSandro2000]

Does it make sense to add release note entries at this point?

[dotlambda]

Does it make sense to add release note entries at this point?

I doubt it.

[SuperSandro2000]

I am going ahead and will be merging this because of the security situation. I personally don't have the time or knowledge to properly backport the patches and no one spoke up in the last day, so I don't see a quick alternative.

[dotlambda]

The only reason I hadn't merged yet was to give people a chance to look at the Rust stuff. But they can complain later if they don't like it.

[SuperSandro2000]

Just for reference: I based it on #298206 so I hope it is fine 😅