Created attachment 255215 [details] git diff for security/vaultwarden ``` security/vaultwarden: Security update to 1.32.4 PR: Security: aba28514-a414-11ef-98e7-84a93843eb75 ``` Vulns not further specified by project.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=252a072ff09e587d757d848eb3fd80cc8586fb43 commit 252a072ff09e587d757d848eb3fd80cc8586fb43 Author: Michael Reifenberger <mr@FreeBSD.org> AuthorDate: 2024-11-16 16:30:29 +0000 Commit: Michael Reifenberger <mr@FreeBSD.org> CommitDate: 2024-11-16 16:31:52 +0000 security/vaultwarden: Security update to 1.32.4 PR: 282795 Reported by: Bernard Spil security/vaultwarden/Makefile | 3 +- security/vaultwarden/Makefile.crates | 70 +++++++++-------- security/vaultwarden/distinfo | 146 ++++++++++++++++++----------------- 3 files changed, 115 insertions(+), 104 deletions(-)
There are (again) undisclosed vulnerabilities in 1.32.4: https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5
Created attachment 255285 [details] git diff security/vaultwarden Removing etc/rc.d/vaultwarden removes error: `pkg-static: duplicate file listing: /usr/local/etc/rc.d/vaultwarden`. Bernard Spil kindly indicated we should also add an entry to the vuln db, which I intend to provide in a subsequent patch.
Created attachment 255286 [details] git diff security/vuxml
Created attachment 255287 [details] git diff security/vuxml Looking closer at the commits included in the release, it looks like the discovery date is more likely 2024-11-11. New patch attached for security/vuxml.
(In reply to foudfou from comment #5) The vulnerabilities (as per authors) concern <= 1.32.3, they're (supposed to be) fixed in 1.32.5. The fix in 1.32.4 (currently in ports tree) is incomplete.
(In reply to vedad from comment #6) I missed the "lt" in the attachment, sorry for the noise.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=63974c070ff072210b7991216bd8779e4302e4e3 commit 63974c070ff072210b7991216bd8779e4302e4e3 Author: Michael Reifenberger <mr@FreeBSD.org> AuthorDate: 2024-11-19 16:25:01 +0000 Commit: Michael Reifenberger <mr@FreeBSD.org> CommitDate: 2024-11-19 16:25:01 +0000 security/vaultwarden: Security update to 1.32.5 This release further fixed some CVE Reports reported by a third party security auditor and we recommend everybody to update to the latest version as soon as possible. The contents of these reports will be disclosed publicly in the future. PR: 282795 Reported by: Bernard Spil security/vaultwarden/Makefile | 2 +- security/vaultwarden/Makefile.crates | 4 ++++ security/vaultwarden/distinfo | 14 +++++++++++--- security/vaultwarden/pkg-plist | 1 - 4 files changed, 16 insertions(+), 5 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=5c3d5f53fc7c6b33e7f9b8c2ba5cdf9e33a56788 commit 5c3d5f53fc7c6b33e7f9b8c2ba5cdf9e33a56788 Author: Michael Reifenberger <mr@FreeBSD.org> AuthorDate: 2024-11-19 16:28:25 +0000 Commit: Michael Reifenberger <mr@FreeBSD.org> CommitDate: 2024-11-19 16:28:53 +0000 security/vuxml: Add vaultwarden Vaultwarden -- Multiple vulnerabilities PR: 282795 Reported by: Bernard Spil security/vuxml/vuln/2024.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
Hi, committed. Hopefully this fixed all CVE's... Thanks for providing!