public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/vaultwarden] epel10: update to 1.36.0 rhbz#2368636
@ 2026-06-03 13:20 Jonathan Wright
0 siblings, 0 replies; only message in thread
From: Jonathan Wright @ 2026-06-03 13:20 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/vaultwarden
Branch : epel10
Commit : 8c62389194002aeffb1fd71deaeed7a8b62fc920
Author : Jonathan Wright <jonathan@almalinux.org>
Date : 2026-06-03T08:13:04-05:00
Stats : +409/-203 in 13 file(s)
URL : https://src.fedoraproject.org/rpms/vaultwarden/c/8c62389194002aeffb1fd71deaeed7a8b62fc920?branch=epel10
Log:
update to 1.36.0 rhbz#2368636
---
diff --git a/.gitignore b/.gitignore
index e76fdc3..a1bf554 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@
/vaultwarden-1.33.2-vendor.tar.xz
/vaultwarden-1.34.2.tar.gz
/vaultwarden-1.34.2-vendor.tar.xz
+/vaultwarden-1.36.0.tar.gz
+/vaultwarden-1.36.0-vendor.tar.xz
diff --git a/create-vendor-tarball.sh b/create-vendor-tarball.sh
new file mode 100755
index 0000000..12a7962
--- /dev/null
+++ b/create-vendor-tarball.sh
@@ -0,0 +1,186 @@
+#!/usr/bin/env bash
+#
+# create-vendor-tarball.sh
+#
+# Build the vendored-dependencies tarball for the vaultwarden RPM package.
+#
+# This produces vaultwarden-<VERSION>-vendor.tar.xz (Source1 in the spec)
+# from the `vendor/` directory that `cargo vendor` emits.
+#
+# With --license it also, computed from the vendored dependency tree via
+# cargo2rpm (the same tool behind the %cargo_license_summary / %cargo_license
+# macros that rust2rpm used for the initial spec):
+# - prints a suggested License: block (the comment list plus the combined
+# License tag) -- it only prints this; updating vaultwarden.spec is up to
+# you; and
+# - writes LICENSE.dependencies, the full per-bundled-dependency breakdown.
+#
+# Usage:
+# ./create-vendor-tarball.sh [-l|--license] [VERSION]
+#
+# -l, --license Also print a License: block and write LICENSE.dependencies.
+# VERSION Override the version. Defaults to the Version: field in
+# vaultwarden.spec.
+#
+# Environment:
+# LICENSE_FEATURES Cargo features used when computing the license set.
+# Defaults to "sqlite,mysql,postgresql" (what the spec
+# builds and installs with).
+#
+set -euo pipefail
+
+NAME=vaultwarden
+LICENSE_FEATURES=${LICENSE_FEATURES:-sqlite,mysql,postgresql}
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+cd "$SCRIPT_DIR"
+
+# --- parse arguments ----------------------------------------------------------
+DO_LICENSE=0
+VERSION=""
+for arg in "$@"; do
+ case $arg in
+ -l|--license) DO_LICENSE=1 ;;
+ -h|--help) sed -n '2,/^set -euo/{/^set -euo/!p}' "$0" | sed 's/^# \?//'; exit 0 ;;
+ -*) echo "error: unknown option '$arg'" >&2; exit 1 ;;
+ *) VERSION=$arg ;;
+ esac
+done
+
+if [[ -z $VERSION ]]; then
+ VERSION=$(grep -oP '^Version:\s*\K\S+' "${NAME}.spec")
+fi
+if [[ -z $VERSION ]]; then
+ echo "error: could not determine version (pass it as the first argument)" >&2
+ exit 1
+fi
+
+TARBALL="${NAME}-${VERSION}.tar.gz"
+VENDOR_TARBALL="${NAME}-${VERSION}-vendor.tar.xz"
+SRC_URL="https://github.com/dani-garcia/${NAME}/archive/${VERSION}/${TARBALL}"
+
+echo ">> Building vendor tarball for ${NAME} ${VERSION}"
+
+# --- check tools --------------------------------------------------------------
+for tool in cargo tar xz; do
+ command -v "$tool" >/dev/null || { echo "error: '$tool' not found in PATH" >&2; exit 1; }
+done
+if [[ $DO_LICENSE -eq 1 ]]; then
+ command -v cargo2rpm >/dev/null || { echo "error: 'cargo2rpm' not found (install rust2rpm)" >&2; exit 1; }
+fi
+
+# --- fetch the upstream source tarball if needed ------------------------------
+if [[ ! -f $TARBALL ]]; then
+ echo ">> $TARBALL not present, downloading from $SRC_URL"
+ command -v curl >/dev/null || { echo "error: 'curl' needed to download the source" >&2; exit 1; }
+ curl -fL --proto '=https' -o "$TARBALL" "$SRC_URL"
+fi
+
+# --- unpack into a throwaway work dir -----------------------------------------
+WORK=$(mktemp -d)
+trap 'rm -rf "$WORK"' EXIT
+
+echo ">> Unpacking $TARBALL"
+tar -C "$WORK" -xf "$TARBALL"
+
+SRC="$WORK/${NAME}-${VERSION}"
+[[ -d $SRC ]] || { echo "error: expected directory $SRC inside $TARBALL" >&2; exit 1; }
+
+# --- vendor -------------------------------------------------------------------
+echo ">> Running cargo vendor"
+# Discard the printed .cargo/config.toml snippet; %cargo_prep -v vendor handles
+# the build-time config. We only want the vendor/ tree itself.
+( cd "$SRC" && cargo vendor --locked vendor >/dev/null )
+
+[[ -d "$SRC/vendor" ]] || { echo "error: cargo vendor produced no vendor/ directory" >&2; exit 1; }
+
+# --- package ------------------------------------------------------------------
+echo ">> Creating $VENDOR_TARBALL"
+rm -f "$SCRIPT_DIR/$VENDOR_TARBALL"
+# Deterministic ordering; xz multi-threaded for speed.
+XZ_OPT="${XZ_OPT:--T0}" tar \
+ --sort=name \
+ --owner=0 --group=0 --numeric-owner \
+ -C "$SRC" -cJf "$SCRIPT_DIR/$VENDOR_TARBALL" vendor
+
+echo
+echo ">> Done: $VENDOR_TARBALL"
+ls -lh "$SCRIPT_DIR/$VENDOR_TARBALL"
+
+# --- suggested License: block -------------------------------------------------
+if [[ $DO_LICENSE -eq 1 ]]; then
+ echo
+ echo ">> Computing License from vendored tree (features: $LICENSE_FEATURES)"
+
+ # cargo2rpm walks the dependency tree with `cargo tree`; point cargo at the
+ # vendored sources so this resolves entirely offline.
+ mkdir -p "$SRC/.cargo"
+ cat >"$SRC/.cargo/config.toml" <<'EOF'
+[source.crates-io]
+replace-with = "vendored-sources"
+[source.vendored-sources]
+directory = "vendor"
+EOF
+
+ summary=$(cd "$SRC" && cargo2rpm -p Cargo.toml license-summary -f "$LICENSE_FEATURES")
+
+ # The comment list: the "# <expr>" lines from the summary (drop the markers).
+ comments=$(grep '^# ' <<<"$summary")
+
+ # The License: tag. The combined tag is the AND of every dependency's
+ # license expression; dedupe it into something human-readable:
+ # - flatten the top-level AND across all expressions,
+ # - drop conjunction parts already covered by a standalone license
+ # (e.g. "Apache-2.0 AND ISC" adds nothing once both appear alone),
+ # - merge OR-groups that are just reorderings of each other
+ # ("MIT OR Apache-2.0" == "Apache-2.0 OR MIT"),
+ # - emit simple licenses first (sorted), then the OR-groups (sorted).
+ # No boolean absorption is done, so each license choice is preserved.
+ tag=$(grep '^# ' <<<"$summary" | python3 -c '
+import sys
+
+def split_top(s, sep):
+ """Split on a top-level " sep " operator, respecting parentheses."""
+ out, depth, tok = [], 0, []
+ for w in s.split(" "):
+ if w == sep and depth == 0:
+ out.append(" ".join(tok)); tok = []
+ continue
+ depth += w.count("(") - w.count(")")
+ tok.append(w)
+ if tok:
+ out.append(" ".join(tok))
+ return out
+
+simples = set()
+groups = {} # frozenset(operands) -> first-seen display form
+for line in sys.stdin:
+ expr = line.strip().lstrip("#").strip()
+ if not expr:
+ continue
+ for part in split_top(expr, "AND"):
+ part = part.strip()
+ if part.startswith("(") and part.endswith(")"):
+ part = part[1:-1].strip()
+ ops = [o.strip() for o in split_top(part, "OR")]
+ if len(ops) == 1:
+ simples.add(ops[0])
+ else:
+ groups.setdefault(frozenset(ops), part)
+
+terms = sorted(simples) + ["(%s)" % g for g in sorted(groups.values())]
+print(" AND ".join(terms))
+')
+
+ echo
+ echo "----- suggested License: block for ${NAME}.spec -----"
+ echo "$comments"
+ printf 'License: %s\n' "$tag"
+ echo "# LICENSE.dependencies contains a full license breakdown"
+ echo "------------------------------------------------------"
+fi
+
+echo
+echo "Next steps:"
+echo " - Make sure $TARBALL and $VENDOR_TARBALL are listed in .gitignore"
+echo " - Upload sources: fedpkg new-sources $TARBALL $VENDOR_TARBALL"
diff --git a/downgrade_diesel_version.patch b/downgrade_diesel_version.patch
deleted file mode 100644
index ecb9d82..0000000
--- a/downgrade_diesel_version.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/Cargo.toml b/Cargo.toml
-index 46a2b8f6..737f01b9 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -78,7 +78,7 @@ serde = { version = "1.0.217", features = ["derive"] }
- serde_json = "1.0.138"
-
- # A safe, extensible ORM and Query builder
--diesel = { version = "2.2.7", features = ["chrono", "r2d2", "numeric"] }
-+diesel = { version = "=2.2.6", features = ["chrono", "r2d2", "numeric"] }
- diesel_migrations = "2.2.0"
- diesel_logger = { version = "0.4.0", optional = true }
-
-@@ -86,7 +86,7 @@ derive_more = { version = "2.0.0", features = ["from", "into", "as_ref", "deref"
- diesel-derive-newtype = "2.1.2"
-
- # Bundled/Static SQLite
--libsqlite3-sys = { version = "0.31.0", features = ["bundled"], optional = true }
-+libsqlite3-sys = { version = "=0.30.1", features = ["bundled"], optional = true }
-
- # Crypto-related libraries
- rand = "0.9.0"
diff --git a/enable-unstable-apis.patch b/enable-unstable-apis.patch
deleted file mode 100644
index b02e17a..0000000
--- a/enable-unstable-apis.patch
+++ /dev/null
@@ -1,10 +0,0 @@
-diff --git a/src/main.rs b/src/main.rs
-index 530c7b2..49b2609 100644
---- a/src/main.rs
-+++ b/src/main.rs
-@@ -1,3 +1,5 @@
-+#![feature(lazy_cell)]
-+#![feature(const_refs_to_static)]
- #![cfg_attr(feature = "unstable", feature(ip))]
- // The recursion_limit is mainly triggered by the json!() macro.
- // The more key/value pairs there are the more recursion occurs.
diff --git a/fix-is_none_or.patch b/fix-is_none_or.patch
deleted file mode 100644
index bc779b6..0000000
--- a/fix-is_none_or.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
-index c751491..634ffa5 100644
---- a/src/db/models/cipher.rs
-+++ b/src/db/models/cipher.rs
-@@ -279,9 +279,9 @@ impl Cipher {
- // The only way to fix this is by setting type_data_json to `null`
- // Opening this ssh-key in the mobile client will probably crash the client, but you can edit, save and afterwards delete it
- if self.atype == 5
-- && (type_data_json["keyFingerprint"].as_str().is_none_or(|v| v.is_empty())
-- || type_data_json["privateKey"].as_str().is_none_or(|v| v.is_empty())
-- || type_data_json["publicKey"].as_str().is_none_or(|v| v.is_empty()))
-+ && (type_data_json["keyFingerprint"].as_str().map_or(true, |v| v.is_empty())
-+ || type_data_json["privateKey"].as_str().map_or(true, |v| v.is_empty())
-+ || type_data_json["publicKey"].as_str().map_or(true, |v| v.is_empty()))
- {
- warn!("Error parsing ssh-key, mandatory fields are invalid for {}", self.uuid);
- type_data_json = Value::Null;
diff --git a/fix-refutable-pattern-in-for-loop.patch b/fix-refutable-pattern-in-for-loop.patch
deleted file mode 100644
index 155025a..0000000
--- a/fix-refutable-pattern-in-for-loop.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/src/api/icons.rs b/src/api/icons.rs
-index fc4e0cc..eac8298 100644
---- a/src/api/icons.rs
-+++ b/src/api/icons.rs
-@@ -270,28 +270,37 @@ fn get_favicons_node(dom: Tokenizer<StringReader<'_>, FaviconEmitter>, icons: &m
-
- let mut base_url = url.clone();
- let mut icon_tags: Vec<Tag> = Vec::new();
-- for Ok(token) in dom {
-- let tag_name: &[u8] = &token.tag.name;
-- match tag_name {
-- TAG_LINK => {
-- icon_tags.push(token.tag);
-- }
-- TAG_BASE => {
-- base_url = if let Some(href) = token.tag.attributes.get(ATTR_HREF) {
-- let href = std::str::from_utf8(href).unwrap_or_default();
-- debug!("Found base href: {href}");
-- match base_url.join(href) {
-- Ok(inner_url) => inner_url,
-- _ => continue,
-+ for result in dom {
-+ match result {
-+ Ok(token) => {
-+ let tag_name: &[u8] = &token.tag.name;
-+ match tag_name {
-+ TAG_LINK => {
-+ icon_tags.push(token.tag);
- }
-- } else {
-- continue;
-- };
-+ TAG_BASE => {
-+ base_url = if let Some(href) = token.tag.attributes.get(ATTR_HREF) {
-+ let href = std::str::from_utf8(href).unwrap_or_default();
-+ debug!("Found base href: {href}");
-+ match base_url.join(href) {
-+ Ok(inner_url) => inner_url,
-+ _ => continue,
-+ }
-+ } else {
-+ continue;
-+ };
-+ }
-+ TAG_HEAD if token.closing => {
-+ break;
-+ }
-+ _ => {}
-+ }
- }
-- TAG_HEAD if token.closing => {
-- break;
-+ Err(_) => {
-+ // Handle the error case if necessary
-+ // Since the error type is `Infallible`, this branch is technically unreachable
-+ unreachable!();
- }
-- _ => {}
- }
- }
-
diff --git a/lower-rust-version.patch b/lower-rust-version.patch
new file mode 100644
index 0000000..4897c58
--- /dev/null
+++ b/lower-rust-version.patch
@@ -0,0 +1,22 @@
+Lower the minimum supported Rust version from 1.93.0 to 1.92.0.
+
+EPEL branches ship an older Rust toolchain (1.92.0) than upstream's declared
+minimum (1.93.0), which makes cargo refuse to build:
+
+ error: rustc 1.92.0 is not supported by the following packages:
+ macros@0.1.0 requires rustc 1.93.0
+ vaultwarden@1.0.0 requires rustc 1.93.0
+
+Both the vaultwarden crate and the macros workspace member inherit
+rust-version from [workspace.package], so lowering it there is sufficient.
+
+diff --git a/Cargo.toml b/Cargo.toml
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -1,5 +1,5 @@
+ [workspace.package]
+ edition = "2021"
+-rust-version = "1.93.0"
++rust-version = "1.92.0"
+ license = "AGPL-3.0-only"
+ repository = "https://github.com/dani-garcia/vaultwarden"
diff --git a/remove-remote-git-patch.patch b/remove-remote-git-patch.patch
deleted file mode 100644
index 582ed4d..0000000
--- a/remove-remote-git-patch.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/Cargo.toml b/Cargo.toml
-index f739145..4781559 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -168,7 +168,7 @@ grass_compiler = { version = "0.13.4", default-features = false }
-
- [patch.crates-io]
- # Patch yubico to remove duplicate crates of older versions
--yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
-+#yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
-
- # Strip debuginfo from the release builds
- # The symbols are the provide better panic traces
diff --git a/remove-rust-version-check.patch b/remove-rust-version-check.patch
deleted file mode 100644
index 0ef428a..0000000
--- a/remove-rust-version-check.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/Cargo.toml b/Cargo.toml
-index e3755e2..240e00d 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -5,7 +5,6 @@ name = "vaultwarden"
- version = "1.0.0"
- authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
- edition = "2021"
--rust-version = "1.83.0"
- resolver = "2"
-
- repository = "https://github.com/dani-garcia/vaultwarden"
diff --git a/rust2rpm.toml b/rust2rpm.toml
deleted file mode 100644
index bdb21df..0000000
--- a/rust2rpm.toml
+++ /dev/null
@@ -1,27 +0,0 @@
-[requires]
-build = [
- "libpq-devel",
- "mariadb-devel",
- "openssl-devel",
- "systemd-rpm-macros",
-]
-
-[scripts]
-[scripts.build]
-post = [
- "%if %{with vendor}",
- "# some vendored files have executable bit but bad shebangs",
- "find vendor/ -type f -executable -exec chmod -x {} +",
- "%endif"
-]
-[scripts.install]
-post = [
- "# filesystem",
- "install -d %{buildroot}%{_sharedstatedir}/%{name}",
- "install -d %{buildroot}%{_localstatedir}/run/%{name}",
- "# configs",
- "install -Dpm 0640 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/%{name}.cfg",
- "# systemd",
- "install -Dp %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service"
-]
-
diff --git a/sources b/sources
index d4e7312..da79bd5 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (vaultwarden-1.34.2.tar.gz) = 85e3849bb9db398b8691a68d675ee7e1c85c65818a86eade9685785f9456d9c6f91048b4fd304f50544f1842623a92fe2c2143cd23b193202cb8b8062f71c693
-SHA512 (vaultwarden-1.34.2-vendor.tar.xz) = 702680f2acc164cfcdff5f09b118426f2ddd44241873d18ea8de5bbdf9903d5d4092fdd2a5a62bb977a2fc8ba88feddb5ea8a03cb879fd6781fc00cf3f96165b
+SHA512 (vaultwarden-1.36.0.tar.gz) = 59b7be22504826a5b3cb7c30d84c2648d80af5bf003b16512401dd734baf05a208651cdd49bc79120a85e43c92df303f2f501521161b7e550c44ffeccb3e5923
+SHA512 (vaultwarden-1.36.0-vendor.tar.xz) = c889f1bf0f9e0ae2d92e4173b0673d6dc926fe5c1e74860c465e9884ba2f8d7ba37075fb0e49e4b1c47d8da2e43b4bc07cf404ed7953edaf2e583060ac0f5684
diff --git a/vaultwarden.cfg b/vaultwarden.cfg
index 7a121cd..05b51d7 100644
--- a/vaultwarden.cfg
+++ b/vaultwarden.cfg
@@ -4,12 +4,25 @@
##
## Be aware that most of these settings will be overridden if they were changed
## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
+##
+## By default, Vaultwarden expects for this file to be named ".env" and located
+## in the current working directory. If this is not the case, the environment
+## variable ENV_FILE can be set to the location of this file prior to starting
+## Vaultwarden.
####################
### Data folders ###
####################
## Main data folder
+## This can be a path to local folder or a path to an external location
+## depending on features enabled at build time. Possible external locations:
+##
+## - AWS S3 Bucket (via `s3` feature): s3://bucket-name/path/to/folder
+##
+## When using an external location, make sure to set TMP_FOLDER,
+## TEMPLATES_FOLDER, and DATABASE_URL to local paths and/or a remote database
+## location.
# DATA_FOLDER=/var/lib/vaultwarden
## Individual folders, these override %DATA_FOLDER%
@@ -17,10 +30,13 @@
# ICON_CACHE_FOLDER=data/icon_cache
# ATTACHMENTS_FOLDER=data/attachments
# SENDS_FOLDER=data/sends
+
+## Temporary folder used for storing temporary file uploads
+## Must be a local path.
# TMP_FOLDER=data/tmp
-## Templates data folder, by default uses embedded templates
-## Check source code to see the format
+## HTML template overrides data folder
+## Must be a local path.
# TEMPLATES_FOLDER=data/templates
## Automatically reload the templates for every request, slow, use only for development
# RELOAD_TEMPLATES=false
@@ -34,7 +50,9 @@
#########################
## Database URL
-## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+## When using SQLite, this is the path to the DB file, and it defaults to
+## %DATA_FOLDER%/db.sqlite3. If DATA_FOLDER is set to an external location, this
+## must be set to a local sqlite3 file path.
# DATABASE_URL=data/db.sqlite3
## When using MySQL, specify an appropriate connection URI.
## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
@@ -62,8 +80,16 @@
## Timeout when acquiring database connection
# DATABASE_TIMEOUT=30
+## Database idle timeout
+## Timeout in seconds before idle connections to the database are closed.
+# DATABASE_IDLE_TIMEOUT=600
+
+## Database min connections
+## Define the minimum size of the connection pool used for connecting to the database.
+# DATABASE_MIN_CONNS=2
+
## Database max connections
-## Define the size of the connection pool used for connecting to the database.
+## Define the maximum size of the connection pool used for connecting to the database.
# DATABASE_MAX_CONNS=10
## Database connection initialization
@@ -87,15 +113,20 @@
##########################
## Enables push notifications (requires key and id from https://bitwarden.com/host)
-## If you choose "European Union" Data Region, uncomment PUSH_RELAY_URI and PUSH_IDENTITY_URI then replace .com by .eu
## Details about mobile client push notification:
## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
# PUSH_ENABLED=false
# PUSH_INSTALLATION_ID=CHANGEME
# PUSH_INSTALLATION_KEY=CHANGEME
-## Don't change this unless you know what you're doing.
+
+# WARNING: Do not modify the following settings unless you fully understand their implications!
+# Default Push Relay and Identity URIs
# PUSH_RELAY_URI=https://push.bitwarden.com
# PUSH_IDENTITY_URI=https://identity.bitwarden.com
+# European Union Data Region Settings
+# If you have selected "European Union" as your data region, use the following URIs instead.
+# PUSH_RELAY_URI=https://api.bitwarden.eu
+# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
#####################
### Schedule jobs ###
@@ -107,7 +138,7 @@
## and are always in terms of UTC time (regardless of your local time zone settings).
##
## The schedule format is a bit different from crontab as crontab does not contains seconds.
-## You can test the the format here: https://crontab.guru, but remove the first digit!
+## You can test the format here: https://crontab.guru, but remove the first digit!
## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK
## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri"
## "0 30 * * * * "
@@ -147,6 +178,14 @@
## Cron schedule of the job that cleans old auth requests from the auth request.
## Defaults to every minute. Set blank to disable this job.
# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
+## Defaults to every minute. Set blank to disable this job.
+# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
+#
+## Cron schedule of the job that cleans sso auth from incomplete flow
+## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
+# PURGE_INCOMPLETE_SSO_AUTH="0 20 0 * * *"
########################
### General settings ###
@@ -215,7 +254,8 @@
# SIGNUPS_ALLOWED=true
## Controls if new users need to verify their email address upon registration
-## Note that setting this option to true prevents logins until the email address has been verified!
+## On new client versions, this will require the user to verify their email at signup time.
+## On older clients, it will require the user to verify their email before they can log in.
## The welcome email will include a verification link, and login attempts will periodically
## trigger another verification email to be sent.
# SIGNUPS_VERIFY=false
@@ -245,7 +285,7 @@
## A comma-separated list means only those users can create orgs:
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
-## Invitations org admins to invite users, even when signups are disabled
+## Allows org admins to invite users, even when signups are disabled
# INVITATIONS_ALLOWED=true
## Name shown in the invitation emails that don't come from a specific organization
# INVITATION_ORG_NAME=Vaultwarden
@@ -266,12 +306,13 @@
## The default for new users. If changed, it will be updated during login for existing users.
# PASSWORD_ITERATIONS=600000
-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
# PASSWORD_HINTS_ALLOWED=true
## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
-## as this provides unauthenticated access to potentially sensitive data.
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
# SHOW_PASSWORD_HINT=false
#########################
@@ -307,34 +348,46 @@
## Default: 2592000 (30 days)
# ICON_CACHE_TTL=2592000
## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
-## Default: 2592000 (3 days)
+## Default: 259200 (3 days)
# ICON_CACHE_NEGTTL=259200
## Icon download timeout
## Configure the timeout value when downloading the favicons.
-## The default is 10 seconds, but this could be to low on slower network connections
+## The default is 10 seconds, but this could be too low on slower network connections
# ICON_DOWNLOAD_TIMEOUT=10
-## Icon blacklist Regex
-## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Block HTTP domains/IPs by Regex
+## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
## Useful to hide other servers in the local network. Check the WIKI for more details
-## NOTE: Always enclose this regex withing single quotes!
-# ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
+## NOTE: Always enclose this regex within single quotes!
+# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
-## Any IP which is not defined as a global IP will be blacklisted.
+## Enabling this will cause the internal HTTP client to refuse to connect to any non-global IP address.
## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
-# ICON_BLACKLIST_NON_GLOBAL_IPS=true
+# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
## Client Settings
## Enable experimental feature flags for clients.
## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
+## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
##
## The following flags are available:
-## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
-## - "autofill-v2": Use the new autofill implementation.
-## - "browser-fileless-import": Directly import credentials from other providers without a file.
-## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
+## - "pm-5594-safari-account-switching": Enable account switching in Safari. (Safari >= 2026.2.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Desktop >= 2024.12.0)
+## - "ssh-agent-v2": Enable newer SSH agent support. (Desktop >= 2026.2.1)
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Clients >= 2024.12.0)
+## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Desktop >= 2025.11.0)
+## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
+## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Clients >= 2025.2.0)
+## - "cxp-import-mobile": Enable the import via CXP on iOS (Clients >= 2025.9.2)
+## - "cxp-export-mobile": Enable the export via CXP on iOS (Clients >= 2025.9.2)
+## - "pm-30529-webauthn-related-origins":
+## - "desktop-ui-migration-milestone-1": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-2": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-3": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-4": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=
## Require new device emails. When a user logs in an email is required to be sent.
## If sending the email fails the login attempt will fail!!
@@ -357,8 +410,9 @@
## Log level
## Change the verbosity of the log output
## Valid values are "trace", "debug", "info", "warn", "error" and "off"
-## Setting it to "trace" or "debug" would also show logs for mounted
-## routes and static file, websocket and alive requests
+## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
+## For a specific module append a comma separated `path::to::module=log_level`
+## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
# LOG_LEVEL=info
## Token for the admin interface, preferably an Argon2 PCH string
@@ -391,6 +445,14 @@
## Multiple values must be separated with a whitespace.
# ALLOWED_IFRAME_ANCESTORS=
+## Allowed connect-src (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
+## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
+## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
+# ALLOWED_CONNECT_SRC=""
+
## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
# LOGIN_RATELIMIT_SECONDS=60
## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
@@ -404,6 +466,72 @@
## KNOW WHAT YOU ARE DOING!
# ORG_GROUPS_ENABLED=false
+## Increase secure note size limit (Know the risks!)
+## Sets the secure note size limit to 100_000 instead of the default 10_000.
+## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
+## KNOW WHAT YOU ARE DOING!
+# INCREASE_NOTE_SIZE_LIMIT=false
+
+## Enforce Single Org with Reset Password Policy
+## Enforce that the Single Org policy is enabled before setting the Reset Password policy
+## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
+## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
+# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
+
+## Prefer IPv6 (AAAA) resolving
+## This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
+## This could be useful in IPv6 only environments.
+# DNS_PREFER_IPV6=false
+
+#####################################
+### SSO settings (OpenID Connect) ###
+#####################################
+
+## Controls whether users can login using an OpenID Connect identity provider
+# SSO_ENABLED=false
+
+## Prevent users from logging in directly without going through SSO
+# SSO_ONLY=false
+
+## On SSO Signup if a user with a matching email already exists make the association
+# SSO_SIGNUPS_MATCH_EMAIL=true
+
+## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
+# SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
+
+## Base URL of the OIDC server (auto-discovery is used)
+## - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
+## - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+# SSO_AUTHORITY=https://auth.example.com
+
+## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
+# SSO_SCOPES="email profile"
+
+## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
+# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
+
+## Activate PKCE for the Auth Code flow.
+# SSO_PKCE=true
+
+## Regex for additional trusted Id token audience (by default only the client_id is trusted).
+# SSO_AUDIENCE_TRUSTED='^$'
+
+## Set your Client ID and Client Key
+# SSO_CLIENT_ID=11111
+# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
+
+## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
+# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
+
+## Use sso only for authentication not the session lifecycle
+# SSO_AUTH_ONLY_NOT_SESSION=false
+
+## Client cache for discovery endpoint. Duration in seconds (0 to disable).
+# SSO_CLIENT_CACHE_EXPIRATION=0
+
+## Log all the tokens, LOG_LEVEL=debug is required
+# SSO_DEBUG_TOKENS=false
+
########################
### MFA/2FA settings ###
########################
@@ -417,15 +545,21 @@
# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
## Duo Settings
-## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
+## Otherwise users will need to configure it themselves.
## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
## Then set the following options, based on the values obtained from the last step:
-# DUO_IKEY=<Integration Key>
-# DUO_SKEY=<Secret Key>
+# DUO_IKEY=<Client ID>
+# DUO_SKEY=<Client Secret>
# DUO_HOST=<API Hostname>
## After that, you should be able to follow the rest of the guide linked above,
## ignoring the fields that ask for the values that you already configured beforehand.
+##
+## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
+## Duo no longer supports this, but it still works for some integrations.
+## If you aren't sure, leave this alone.
+# DUO_USE_IFRAME=false
## Email 2FA settings
## Email token size
@@ -440,7 +574,7 @@
## Maximum attempts before an email token is reset and a new email will need to be sent.
# EMAIL_ATTEMPTS_LIMIT=3
##
-## Setup email 2FA regardless of any organization policy
+## Setup email 2FA on registration regardless of any organization policy
# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
## Automatically setup email 2FA as fallback provider when needed
# EMAIL_2FA_AUTO_FALLBACK=false
@@ -457,7 +591,7 @@
##
## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
## we allow by default the TOTP code which was valid one step back and one in the future.
-## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## This can however allow attackers to be a bit more lucky with their attempts because there are 3 valid codes.
## You can disable this, so that only the current TOTP Code is allowed.
## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
@@ -497,7 +631,7 @@
# SMTP_AUTH_MECHANISM=
## Server name sent during the SMTP HELO
-## By default this value should be is on the machine's hostname,
+## By default this value should be the machine's hostname,
## but might need to be changed in case it trips some anti-spam filters
# HELO_NAME=
@@ -526,7 +660,7 @@
## Rocket specific settings
## See https://rocket.rs/v0.5/guide/configuration/ for more details.
-# ROCKET_ADDRESS=127.0.0.1
+# ROCKET_ADDRESS=0.0.0.0
## The default port is 8000, unless running in a Docker container, in which case it is 80.
# ROCKET_PORT=8000
# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
diff --git a/vaultwarden.spec b/vaultwarden.spec
index 1ca3800..cacc678 100644
--- a/vaultwarden.spec
+++ b/vaultwarden.spec
@@ -9,34 +9,42 @@
%global rustflags_debuginfo 1
Name: vaultwarden
-Version: 1.34.2
-Release: 2%{?dist}
+Version: 1.36.0
+Release: 1%{?dist}
Summary: Unofficial Bitwarden compatible server
ExcludeArch: ppc64le s390x
# (Apache-2.0 OR MIT) AND BSD-3-Clause
+# (MIT OR Apache-2.0) AND Apache-2.0
+# (MIT OR Apache-2.0) AND Unicode-3.0
# 0BSD
# 0BSD OR MIT OR Apache-2.0
# AGPL-3.0-only
# Apache-2.0
+# Apache-2.0 AND ISC
# Apache-2.0 OR BSL-1.0
# Apache-2.0 OR ISC OR MIT
# Apache-2.0 OR MIT
# Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT
# BSD-2-Clause OR Apache-2.0 OR MIT
# BSD-3-Clause
+# BSD-3-Clause AND MIT
# BSD-3-Clause OR MIT
+# CDLA-Permissive-2.0
# ISC
-# ISC AND MIT AND OpenSSL
# MIT
# MIT OR Apache-2.0
+# MIT OR Apache-2.0 OR BSD-1-Clause
+# MIT OR Apache-2.0 OR LGPL-2.1-or-later
# MIT OR Apache-2.0 OR Zlib
# MIT OR Zlib OR Apache-2.0
# MPL-2.0
+# Unicode-3.0
# Unlicense OR MIT
+# Zlib
# Zlib OR Apache-2.0 OR MIT
-License: AGPL-3.0-only AND BSD-3-Clause AND 0BSD AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0 AND (Unlicense OR MIT) AND (Zlib OR Apache-2.0 OR MIT) AND (ISC AND MIT AND OpenSSL)
+License: 0BSD AND AGPL-3.0-only AND Apache-2.0 AND BSD-3-Clause AND CDLA-Permissive-2.0 AND ISC AND MIT AND MPL-2.0 AND Unicode-3.0 AND Zlib AND (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND (BSD-3-Clause OR MIT) AND (MIT OR Apache-2.0 OR BSD-1-Clause) AND (MIT OR Apache-2.0 OR LGPL-2.1-or-later) AND (MIT OR Apache-2.0 OR Zlib) AND (Unlicense OR MIT)
# LICENSE.dependencies contains a full license breakdown
URL: https://github.com/dani-garcia/vaultwarden
@@ -45,6 +53,12 @@ Source1: vaultwarden-%{version}-vendor.tar.xz
Source2: vaultwarden.service
Source3: vaultwarden.cfg
Source4: vaultwarden.sysusers
+Source99: create-vendor-tarball.sh
+
+# EL 9.8/10.2 ship an older Rust toolchain (1.92.0) vs 1.93.0 desired
+%if 0%{?rhel}
+Patch0: lower-rust-version.patch
+%endif
ExcludeArch: i686
@@ -78,7 +92,6 @@ Requires: %{name}-web
%build
export VW_VERSION=%{version}
%cargo_build -f sqlite,mysql,postgresql
-%cargo_build -f sqlite
%{cargo_license_summary}
%{cargo_license} > LICENSE.dependencies
%{cargo_vendor_manifest}
@@ -144,6 +157,17 @@ install -Dp %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service
%changelog
+* Wed Jun 03 2026 Jonathan Wright <jonathan@almalinux.org> - 1.36.0-1
+- update to 1.36.0 rhbz#2368636
+- Fix bitwarden mobile app not working rhbz#2437599
+- Fix CVE-2025-58160 vaultwarden: Tracing log pollution
+- Fix CVE-2026-25537 vaultwarden: jsonwebtoken has Type Confusion that leads to potential authorization bypass
+- Fix CVE-2026-25727 vaultwarden: time affected by a stack exhaustion denial of service attack
+- Fix CVE-2026-26012 vaultwarden: Information disclosure due to bypassed collection permissions
+- Fix CVE-2026-27898 vaultwarden: Information disclosure via API partial update
+- Fix CVE-2026-27803 vaultwarden: Unauthorized collection management operations due to improper access control
+- Fix CVE-2026-27801 vaultwarden: Two-factor authentication bypass allows unauthorized access and data deletion
+
* Sat Jan 17 2026 Fedora Release Engineering <releng@fedoraproject.org> - 1.34.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-03 13:20 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-03 13:20 [rpms/vaultwarden] epel10: update to 1.36.0 rhbz#2368636 Jonathan Wright
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox