Update docker.io/vaultwarden/server Docker tag to v1.33.0
Automatically upgrading Vaultwarden container with Watchtower and having to problems whatsoever with dependency update facilitated by Mend's Renovate Bot.
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| docker.io/vaultwarden/server | minor | 1.32.7 -> 1.33.0 |
Release Notes
dani-garcia/vaultwarden (docker.io/vaultwarden/server)
v1.33.0
Security Fixes
This release contains security fixes for the following advisories.
And we strongly advice to update as soon as possible.
- GHSA-f7r5-w49x-gxm3
This vulnerability is only possible if you do not have anADMIN_TOKENconfigured and open links or pages you should not trust anyway. Ensure you have anADMIN_TOKENconfigured to keep your admin environment save. - GHSA-h6cc-rc6q-23j4
This vulnerability is only possible if someone was able to gain access to your Vaultwarden Admin Backend. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. - GHSA-j4h8-vch3-f797
This vulnerability affects all users who have multiple Organizations and users which are able to create a new organization or have admin or owner rights on at least one organization. The attacker does need to know the Organization UUID of the Organization it want's to attack or compromise though.
Notable changes
- Updated web-vault to v2025.1.1
- Added partial manage role support for collections
- Manager role is converted to a Custom role with either Manage All Collections or per collection.
Admins and Owners probably want to check and verify if the rights are still correct. - The OCI containers and binaries are signed via GitHub Attestations
This allows you to verify an OCI image or even thevaultwardenbinary located within the OCI image.
These vulnerabilities affects
What's Changed
- Add
inline-menu-positioning-improvementsfeature flag by @Ephemera42 in https://github.com/dani-garcia/vaultwarden/pull/5313 - Fix issues when uri match is a string by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5332
- Add TOTP delete endpoint by @Timshel in https://github.com/dani-garcia/vaultwarden/pull/5327
- fix group issue in send_invite by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/5321
- Update crates and GHA by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5346
- Refactor the uri match fix and fix ssh-key sync by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5339
- Add partial role support for manager only using web-vault v2024.12.0 by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5219
- Fix issue with key-rotate by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5348
- fix manager role in admin users overview by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/5359
- Prevent new users/members to be stored in db when invite fails by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5350
- Update crates and web-vault to v2025.1.0 by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5368
- Allow building with Rust v1.84.0 or newer by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5371
- rename membership and adopt newtype pattern by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/5320
- build: raise msrv (1.83.0) rust toolchain (1.84.0) by @tessus in https://github.com/dani-garcia/vaultwarden/pull/5374
- Fix an issue with login with device by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5379
- refactor: replace static with const for global constants by @Integral-Tech in https://github.com/dani-garcia/vaultwarden/pull/5260
- Add Attestations for containers and artifacts by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5378
- Fix version detection on bake by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5382
- Simplify container image attestation by @dfunkt in https://github.com/dani-garcia/vaultwarden/pull/5387
- improve admin invite by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/5403
- Add manage role for collections and groups by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5386
- update web-vault to v2025.1.1 and add /api/devices by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/5422
- Security fixes by @BlackDex in https://github.com/dani-garcia/vaultwarden/pull/5438
- only validate SMTP_FROM if necessary by @stefan0xC in https://github.com/dani-garcia/vaultwarden/pull/5442
New Contributors
- @Ephemera42 made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/5313
- @Integral-Tech made their first contribution in https://github.com/dani-garcia/vaultwarden/pull/5260
Full Changelog: https://github.com/dani-garcia/vaultwarden/compare/1.32.7...1.33.0
