[rpms/vaultwarden] epel9: update to 1.36.0 rhbz#2368636

[Jonathan Wright <jonathan@almalinux.org>]

A new commit has been pushed.

Repo   : rpms/vaultwarden
Branch : epel9
Commit : 8c62389194002aeffb1fd71deaeed7a8b62fc920
Author : Jonathan Wright <jonathan@almalinux.org>
Date   : 2026-06-03T08:13:04-05:00
Stats  : +409/-203 in 13 file(s)
URL    : https://src.fedoraproject.org/rpms/vaultwarden/c/8c62389194002aeffb1fd71deaeed7a8b62fc920?branch=epel9

Log:
update to 1.36.0 rhbz#2368636

---
diff --git a/.gitignore b/.gitignore
index e76fdc3..a1bf554 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@
 /vaultwarden-1.33.2-vendor.tar.xz
 /vaultwarden-1.34.2.tar.gz
 /vaultwarden-1.34.2-vendor.tar.xz
+/vaultwarden-1.36.0.tar.gz
+/vaultwarden-1.36.0-vendor.tar.xz

diff --git a/create-vendor-tarball.sh b/create-vendor-tarball.sh
new file mode 100755
index 0000000..12a7962
--- /dev/null
+++ b/create-vendor-tarball.sh
@@ -0,0 +1,186 @@
+#!/usr/bin/env bash
+#
+# create-vendor-tarball.sh
+#
+# Build the vendored-dependencies tarball for the vaultwarden RPM package.
+#
+# This produces  vaultwarden-<VERSION>-vendor.tar.xz  (Source1 in the spec)
+# from the `vendor/` directory that `cargo vendor` emits.
+#
+# With --license it also, computed from the vendored dependency tree via
+# cargo2rpm (the same tool behind the %cargo_license_summary / %cargo_license
+# macros that rust2rpm used for the initial spec):
+#   - prints a suggested License: block (the comment list plus the combined
+#     License tag) -- it only prints this; updating vaultwarden.spec is up to
+#     you; and
+#   - writes LICENSE.dependencies, the full per-bundled-dependency breakdown.
+#
+# Usage:
+#   ./create-vendor-tarball.sh [-l|--license] [VERSION]
+#
+#   -l, --license   Also print a License: block and write LICENSE.dependencies.
+#   VERSION         Override the version. Defaults to the Version: field in
+#                   vaultwarden.spec.
+#
+# Environment:
+#   LICENSE_FEATURES  Cargo features used when computing the license set.
+#                     Defaults to "sqlite,mysql,postgresql" (what the spec
+#                     builds and installs with).
+#
+set -euo pipefail
+
+NAME=vaultwarden
+LICENSE_FEATURES=${LICENSE_FEATURES:-sqlite,mysql,postgresql}
+
+SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+cd "$SCRIPT_DIR"
+
+# --- parse arguments ----------------------------------------------------------
+DO_LICENSE=0
+VERSION=""
+for arg in "$@"; do
+    case $arg in
+        -l|--license) DO_LICENSE=1 ;;
+        -h|--help) sed -n '2,/^set -euo/{/^set -euo/!p}' "$0" | sed 's/^# \?//'; exit 0 ;;
+        -*) echo "error: unknown option '$arg'" >&2; exit 1 ;;
+        *) VERSION=$arg ;;
+    esac
+done
+
+if [[ -z $VERSION ]]; then
+    VERSION=$(grep -oP '^Version:\s*\K\S+' "${NAME}.spec")
+fi
+if [[ -z $VERSION ]]; then
+    echo "error: could not determine version (pass it as the first argument)" >&2
+    exit 1
+fi
+
+TARBALL="${NAME}-${VERSION}.tar.gz"
+VENDOR_TARBALL="${NAME}-${VERSION}-vendor.tar.xz"
+SRC_URL="https://github.com/dani-garcia/${NAME}/archive/${VERSION}/${TARBALL}"
+
+echo ">> Building vendor tarball for ${NAME} ${VERSION}"
+
+# --- check tools --------------------------------------------------------------
+for tool in cargo tar xz; do
+    command -v "$tool" >/dev/null || { echo "error: '$tool' not found in PATH" >&2; exit 1; }
+done
+if [[ $DO_LICENSE -eq 1 ]]; then
+    command -v cargo2rpm >/dev/null || { echo "error: 'cargo2rpm' not found (install rust2rpm)" >&2; exit 1; }
+fi
+
+# --- fetch the upstream source tarball if needed ------------------------------
+if [[ ! -f $TARBALL ]]; then
+    echo ">> $TARBALL not present, downloading from $SRC_URL"
+    command -v curl >/dev/null || { echo "error: 'curl' needed to download the source" >&2; exit 1; }
+    curl -fL --proto '=https' -o "$TARBALL" "$SRC_URL"
+fi
+
+# --- unpack into a throwaway work dir -----------------------------------------
+WORK=$(mktemp -d)
+trap 'rm -rf "$WORK"' EXIT
+
+echo ">> Unpacking $TARBALL"
+tar -C "$WORK" -xf "$TARBALL"
+
+SRC="$WORK/${NAME}-${VERSION}"
+[[ -d $SRC ]] || { echo "error: expected directory $SRC inside $TARBALL" >&2; exit 1; }
+
+# --- vendor -------------------------------------------------------------------
+echo ">> Running cargo vendor"
+# Discard the printed .cargo/config.toml snippet; %cargo_prep -v vendor handles
+# the build-time config. We only want the vendor/ tree itself.
+( cd "$SRC" && cargo vendor --locked vendor >/dev/null )
+
+[[ -d "$SRC/vendor" ]] || { echo "error: cargo vendor produced no vendor/ directory" >&2; exit 1; }
+
+# --- package ------------------------------------------------------------------
+echo ">> Creating $VENDOR_TARBALL"
+rm -f "$SCRIPT_DIR/$VENDOR_TARBALL"
+# Deterministic ordering; xz multi-threaded for speed.
+XZ_OPT="${XZ_OPT:--T0}" tar \
+    --sort=name \
+    --owner=0 --group=0 --numeric-owner \
+    -C "$SRC" -cJf "$SCRIPT_DIR/$VENDOR_TARBALL" vendor
+
+echo
+echo ">> Done: $VENDOR_TARBALL"
+ls -lh "$SCRIPT_DIR/$VENDOR_TARBALL"
+
+# --- suggested License: block -------------------------------------------------
+if [[ $DO_LICENSE -eq 1 ]]; then
+    echo
+    echo ">> Computing License from vendored tree (features: $LICENSE_FEATURES)"
+
+    # cargo2rpm walks the dependency tree with `cargo tree`; point cargo at the
+    # vendored sources so this resolves entirely offline.
+    mkdir -p "$SRC/.cargo"
+    cat >"$SRC/.cargo/config.toml" <<'EOF'
+[source.crates-io]
+replace-with = "vendored-sources"
+[source.vendored-sources]
+directory = "vendor"
+EOF
+
+    summary=$(cd "$SRC" && cargo2rpm -p Cargo.toml license-summary -f "$LICENSE_FEATURES")
+
+    # The comment list: the "# <expr>" lines from the summary (drop the markers).
+    comments=$(grep '^# ' <<<"$summary")
+
+    # The License: tag. The combined tag is the AND of every dependency's
+    # license expression; dedupe it into something human-readable:
+    #   - flatten the top-level AND across all expressions,
+    #   - drop conjunction parts already covered by a standalone license
+    #     (e.g. "Apache-2.0 AND ISC" adds nothing once both appear alone),
+    #   - merge OR-groups that are just reorderings of each other
+    #     ("MIT OR Apache-2.0" == "Apache-2.0 OR MIT"),
+    #   - emit simple licenses first (sorted), then the OR-groups (sorted).
+    # No boolean absorption is done, so each license choice is preserved.
+    tag=$(grep '^# ' <<<"$summary" | python3 -c '
+import sys
+
+def split_top(s, sep):
+    """Split on a top-level " sep " operator, respecting parentheses."""
+    out, depth, tok = [], 0, []
+    for w in s.split(" "):
+        if w == sep and depth == 0:
+            out.append(" ".join(tok)); tok = []
+            continue
+        depth += w.count("(") - w.count(")")
+        tok.append(w)
+    if tok:
+        out.append(" ".join(tok))
+    return out
+
+simples = set()
+groups = {}  # frozenset(operands) -> first-seen display form
+for line in sys.stdin:
+    expr = line.strip().lstrip("#").strip()
+    if not expr:
+        continue
+    for part in split_top(expr, "AND"):
+        part = part.strip()
+        if part.startswith("(") and part.endswith(")"):
+            part = part[1:-1].strip()
+        ops = [o.strip() for o in split_top(part, "OR")]
+        if len(ops) == 1:
+            simples.add(ops[0])
+        else:
+            groups.setdefault(frozenset(ops), part)
+
+terms = sorted(simples) + ["(%s)" % g for g in sorted(groups.values())]
+print(" AND ".join(terms))
+')
+
+    echo
+    echo "----- suggested License: block for ${NAME}.spec -----"
+    echo "$comments"
+    printf 'License:        %s\n' "$tag"
+    echo "# LICENSE.dependencies contains a full license breakdown"
+    echo "------------------------------------------------------"
+fi
+
+echo
+echo "Next steps:"
+echo "  - Make sure $TARBALL and $VENDOR_TARBALL are listed in .gitignore"
+echo "  - Upload sources:   fedpkg new-sources $TARBALL $VENDOR_TARBALL"

diff --git a/downgrade_diesel_version.patch b/downgrade_diesel_version.patch
deleted file mode 100644
index ecb9d82..0000000
--- a/downgrade_diesel_version.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/Cargo.toml b/Cargo.toml
-index 46a2b8f6..737f01b9 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -78,7 +78,7 @@ serde = { version = "1.0.217", features = ["derive"] }
- serde_json = "1.0.138"
-
- # A safe, extensible ORM and Query builder
--diesel = { version = "2.2.7", features = ["chrono", "r2d2", "numeric"] }
-+diesel = { version = "=2.2.6", features = ["chrono", "r2d2", "numeric"] }
- diesel_migrations = "2.2.0"
- diesel_logger = { version = "0.4.0", optional = true }
-
-@@ -86,7 +86,7 @@ derive_more = { version = "2.0.0", features = ["from", "into", "as_ref", "deref"
- diesel-derive-newtype = "2.1.2"
-
- # Bundled/Static SQLite
--libsqlite3-sys = { version = "0.31.0", features = ["bundled"], optional = true }
-+libsqlite3-sys = { version = "=0.30.1", features = ["bundled"], optional = true }
-
- # Crypto-related libraries
- rand = "0.9.0"

diff --git a/enable-unstable-apis.patch b/enable-unstable-apis.patch
deleted file mode 100644
index b02e17a..0000000
--- a/enable-unstable-apis.patch
+++ /dev/null
@@ -1,10 +0,0 @@
-diff --git a/src/main.rs b/src/main.rs
-index 530c7b2..49b2609 100644
---- a/src/main.rs
-+++ b/src/main.rs
-@@ -1,3 +1,5 @@
-+#![feature(lazy_cell)]
-+#![feature(const_refs_to_static)]
- #![cfg_attr(feature = "unstable", feature(ip))]
- // The recursion_limit is mainly triggered by the json!() macro.
- // The more key/value pairs there are the more recursion occurs.

diff --git a/fix-is_none_or.patch b/fix-is_none_or.patch
deleted file mode 100644
index bc779b6..0000000
--- a/fix-is_none_or.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff --git a/src/db/models/cipher.rs b/src/db/models/cipher.rs
-index c751491..634ffa5 100644
---- a/src/db/models/cipher.rs
-+++ b/src/db/models/cipher.rs
-@@ -279,9 +279,9 @@ impl Cipher {
-         // The only way to fix this is by setting type_data_json to `null`
-         // Opening this ssh-key in the mobile client will probably crash the client, but you can edit, save and afterwards delete it
-         if self.atype == 5
--            && (type_data_json["keyFingerprint"].as_str().is_none_or(|v| v.is_empty())
--                || type_data_json["privateKey"].as_str().is_none_or(|v| v.is_empty())
--                || type_data_json["publicKey"].as_str().is_none_or(|v| v.is_empty()))
-+            && (type_data_json["keyFingerprint"].as_str().map_or(true, |v| v.is_empty())
-+                || type_data_json["privateKey"].as_str().map_or(true, |v| v.is_empty())
-+                || type_data_json["publicKey"].as_str().map_or(true, |v| v.is_empty()))
-         {
-             warn!("Error parsing ssh-key, mandatory fields are invalid for {}", self.uuid);
-             type_data_json = Value::Null;

diff --git a/fix-refutable-pattern-in-for-loop.patch b/fix-refutable-pattern-in-for-loop.patch
deleted file mode 100644
index 155025a..0000000
--- a/fix-refutable-pattern-in-for-loop.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/src/api/icons.rs b/src/api/icons.rs
-index fc4e0cc..eac8298 100644
---- a/src/api/icons.rs
-+++ b/src/api/icons.rs
-@@ -270,28 +270,37 @@ fn get_favicons_node(dom: Tokenizer<StringReader<'_>, FaviconEmitter>, icons: &m
- 
-     let mut base_url = url.clone();
-     let mut icon_tags: Vec<Tag> = Vec::new();
--    for Ok(token) in dom {
--        let tag_name: &[u8] = &token.tag.name;
--        match tag_name {
--            TAG_LINK => {
--                icon_tags.push(token.tag);
--            }
--            TAG_BASE => {
--                base_url = if let Some(href) = token.tag.attributes.get(ATTR_HREF) {
--                    let href = std::str::from_utf8(href).unwrap_or_default();
--                    debug!("Found base href: {href}");
--                    match base_url.join(href) {
--                        Ok(inner_url) => inner_url,
--                        _ => continue,
-+    for result in dom {
-+        match result {
-+            Ok(token) => {
-+                let tag_name: &[u8] = &token.tag.name;
-+                match tag_name {
-+                    TAG_LINK => {
-+                        icon_tags.push(token.tag);
-                     }
--                } else {
--                    continue;
--                };
-+                    TAG_BASE => {
-+                        base_url = if let Some(href) = token.tag.attributes.get(ATTR_HREF) {
-+                            let href = std::str::from_utf8(href).unwrap_or_default();
-+                            debug!("Found base href: {href}");
-+                            match base_url.join(href) {
-+                                Ok(inner_url) => inner_url,
-+                                _ => continue,
-+                            }
-+                        } else {
-+                            continue;
-+                        };
-+                    }
-+                    TAG_HEAD if token.closing => {
-+                        break;
-+                    }
-+                    _ => {}
-+                }
-             }
--            TAG_HEAD if token.closing => {
--                break;
-+            Err(_) => {
-+                // Handle the error case if necessary
-+                // Since the error type is `Infallible`, this branch is technically unreachable
-+                unreachable!();
-             }
--            _ => {}
-         }
-     }
-

diff --git a/lower-rust-version.patch b/lower-rust-version.patch
new file mode 100644
index 0000000..4897c58
--- /dev/null
+++ b/lower-rust-version.patch
@@ -0,0 +1,22 @@
+Lower the minimum supported Rust version from 1.93.0 to 1.92.0.
+
+EPEL branches ship an older Rust toolchain (1.92.0) than upstream's declared
+minimum (1.93.0), which makes cargo refuse to build:
+
+    error: rustc 1.92.0 is not supported by the following packages:
+      macros@0.1.0 requires rustc 1.93.0
+      vaultwarden@1.0.0 requires rustc 1.93.0
+
+Both the vaultwarden crate and the macros workspace member inherit
+rust-version from [workspace.package], so lowering it there is sufficient.
+
+diff --git a/Cargo.toml b/Cargo.toml
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -1,5 +1,5 @@
+ [workspace.package]
+ edition = "2021"
+-rust-version = "1.93.0"
++rust-version = "1.92.0"
+ license = "AGPL-3.0-only"
+ repository = "https://github.com/dani-garcia/vaultwarden"

diff --git a/remove-remote-git-patch.patch b/remove-remote-git-patch.patch
deleted file mode 100644
index 582ed4d..0000000
--- a/remove-remote-git-patch.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/Cargo.toml b/Cargo.toml
-index f739145..4781559 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -168,7 +168,7 @@ grass_compiler = { version = "0.13.4", default-features = false }
- 
- [patch.crates-io]
- # Patch yubico to remove duplicate crates of older versions
--yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
-+#yubico = { git = "https://github.com/BlackDex/yubico-rs", rev = "00df14811f58155c0f02e3ab10f1570ed3e115c6" }
- 
- # Strip debuginfo from the release builds
- # The symbols are the provide better panic traces

diff --git a/remove-rust-version-check.patch b/remove-rust-version-check.patch
deleted file mode 100644
index 0ef428a..0000000
--- a/remove-rust-version-check.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/Cargo.toml b/Cargo.toml
-index e3755e2..240e00d 100644
---- a/Cargo.toml
-+++ b/Cargo.toml
-@@ -5,7 +5,6 @@ name = "vaultwarden"
- version = "1.0.0"
- authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
- edition = "2021"
--rust-version = "1.83.0"
- resolver = "2"
- 
- repository = "https://github.com/dani-garcia/vaultwarden"

diff --git a/rust2rpm.toml b/rust2rpm.toml
deleted file mode 100644
index bdb21df..0000000
--- a/rust2rpm.toml
+++ /dev/null
@@ -1,27 +0,0 @@
-[requires]
-build = [
-  "libpq-devel",
-  "mariadb-devel",
-  "openssl-devel",
-  "systemd-rpm-macros",
-]
-
-[scripts]
-[scripts.build]
-post = [
-  "%if %{with vendor}",
-  "# some vendored files have executable bit but bad shebangs",
-  "find vendor/ -type f -executable -exec chmod -x {} +",
-  "%endif"
-]
-[scripts.install]
-post = [
-  "# filesystem",
-  "install -d %{buildroot}%{_sharedstatedir}/%{name}",
-  "install -d %{buildroot}%{_localstatedir}/run/%{name}",
-  "# configs",
-  "install -Dpm 0640 %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/%{name}.cfg",
-  "# systemd",
-  "install -Dp %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service"
-]
-

diff --git a/sources b/sources
index d4e7312..da79bd5 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (vaultwarden-1.34.2.tar.gz) = 85e3849bb9db398b8691a68d675ee7e1c85c65818a86eade9685785f9456d9c6f91048b4fd304f50544f1842623a92fe2c2143cd23b193202cb8b8062f71c693
-SHA512 (vaultwarden-1.34.2-vendor.tar.xz) = 702680f2acc164cfcdff5f09b118426f2ddd44241873d18ea8de5bbdf9903d5d4092fdd2a5a62bb977a2fc8ba88feddb5ea8a03cb879fd6781fc00cf3f96165b
+SHA512 (vaultwarden-1.36.0.tar.gz) = 59b7be22504826a5b3cb7c30d84c2648d80af5bf003b16512401dd734baf05a208651cdd49bc79120a85e43c92df303f2f501521161b7e550c44ffeccb3e5923
+SHA512 (vaultwarden-1.36.0-vendor.tar.xz) = c889f1bf0f9e0ae2d92e4173b0673d6dc926fe5c1e74860c465e9884ba2f8d7ba37075fb0e49e4b1c47d8da2e43b4bc07cf404ed7953edaf2e583060ac0f5684

diff --git a/vaultwarden.cfg b/vaultwarden.cfg
index 7a121cd..05b51d7 100644
--- a/vaultwarden.cfg
+++ b/vaultwarden.cfg
@@ -4,12 +4,25 @@
 ##
 ## Be aware that most of these settings will be overridden if they were changed
 ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
+##
+## By default, Vaultwarden expects for this file to be named ".env" and located
+## in the current working directory. If this is not the case, the environment
+## variable ENV_FILE can be set to the location of this file prior to starting
+## Vaultwarden.
 
 ####################
 ### Data folders ###
 ####################
 
 ## Main data folder
+## This can be a path to local folder or a path to an external location
+## depending on features enabled at build time. Possible external locations:
+##
+## - AWS S3 Bucket (via `s3` feature): s3://bucket-name/path/to/folder
+##
+## When using an external location, make sure to set TMP_FOLDER,
+## TEMPLATES_FOLDER, and DATABASE_URL to local paths and/or a remote database
+## location.
 # DATA_FOLDER=/var/lib/vaultwarden
 
 ## Individual folders, these override %DATA_FOLDER%
@@ -17,10 +30,13 @@
 # ICON_CACHE_FOLDER=data/icon_cache
 # ATTACHMENTS_FOLDER=data/attachments
 # SENDS_FOLDER=data/sends
+
+## Temporary folder used for storing temporary file uploads
+## Must be a local path.
 # TMP_FOLDER=data/tmp
 
-## Templates data folder, by default uses embedded templates
-## Check source code to see the format
+## HTML template overrides data folder
+## Must be a local path.
 # TEMPLATES_FOLDER=data/templates
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false
@@ -34,7 +50,9 @@
 #########################
 
 ## Database URL
-## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+## When using SQLite, this is the path to the DB file, and it defaults to
+## %DATA_FOLDER%/db.sqlite3. If DATA_FOLDER is set to an external location, this
+## must be set to a local sqlite3 file path.
 # DATABASE_URL=data/db.sqlite3
 ## When using MySQL, specify an appropriate connection URI.
 ## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
@@ -62,8 +80,16 @@
 ## Timeout when acquiring database connection
 # DATABASE_TIMEOUT=30
 
+## Database idle timeout
+## Timeout in seconds before idle connections to the database are closed.
+# DATABASE_IDLE_TIMEOUT=600
+
+## Database min connections
+## Define the minimum size of the connection pool used for connecting to the database.
+# DATABASE_MIN_CONNS=2
+
 ## Database max connections
-## Define the size of the connection pool used for connecting to the database.
+## Define the maximum size of the connection pool used for connecting to the database.
 # DATABASE_MAX_CONNS=10
 
 ## Database connection initialization
@@ -87,15 +113,20 @@
 ##########################
 
 ## Enables push notifications (requires key and id from https://bitwarden.com/host)
-## If you choose "European Union" Data Region, uncomment PUSH_RELAY_URI and PUSH_IDENTITY_URI then replace .com by .eu
 ## Details about mobile client push notification:
 ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
 # PUSH_ENABLED=false
 # PUSH_INSTALLATION_ID=CHANGEME
 # PUSH_INSTALLATION_KEY=CHANGEME
-## Don't change this unless you know what you're doing.
+
+# WARNING: Do not modify the following settings unless you fully understand their implications!
+# Default Push Relay and Identity URIs
 # PUSH_RELAY_URI=https://push.bitwarden.com
 # PUSH_IDENTITY_URI=https://identity.bitwarden.com
+# European Union Data Region Settings
+# If you have selected "European Union" as your data region, use the following URIs instead.
+# PUSH_RELAY_URI=https://api.bitwarden.eu
+# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
 
 #####################
 ### Schedule jobs ###
@@ -107,7 +138,7 @@
 ## and are always in terms of UTC time (regardless of your local time zone settings).
 ##
 ## The schedule format is a bit different from crontab as crontab does not contains seconds.
-## You can test the the format here: https://crontab.guru, but remove the first digit!
+## You can test the format here: https://crontab.guru, but remove the first digit!
 ## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
 ## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
 ## "0   30     *          *            *          *     "
@@ -147,6 +178,14 @@
 ## Cron schedule of the job that cleans old auth requests from the auth request.
 ## Defaults to every minute. Set blank to disable this job.
 # AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
+## Defaults to every minute. Set blank to disable this job.
+# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
+#
+## Cron schedule of the job that cleans sso auth from incomplete flow
+## Defaults to daily (20 minutes after midnight). Set blank to disable this job.
+# PURGE_INCOMPLETE_SSO_AUTH="0 20 0 * * *"
 
 ########################
 ### General settings ###
@@ -215,7 +254,8 @@
 # SIGNUPS_ALLOWED=true
 
 ## Controls if new users need to verify their email address upon registration
-## Note that setting this option to true prevents logins until the email address has been verified!
+## On new client versions, this will require the user to verify their email at signup time.
+## On older clients, it will require the user to verify their email before they can log in.
 ## The welcome email will include a verification link, and login attempts will periodically
 ## trigger another verification email to be sent.
 # SIGNUPS_VERIFY=false
@@ -245,7 +285,7 @@
 ## A comma-separated list means only those users can create orgs:
 # ORG_CREATION_USERS=admin1@example.com,admin2@example.com
 
-## Invitations org admins to invite users, even when signups are disabled
+## Allows org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
 ## Name shown in the invitation emails that don't come from a specific organization
 # INVITATION_ORG_NAME=Vaultwarden
@@ -266,12 +306,13 @@
 ## The default for new users. If changed, it will be updated during login for existing users.
 # PASSWORD_ITERATIONS=600000
 
-## Controls whether users can set password hints. This setting applies globally to all users.
+## Controls whether users can set or show password hints. This setting applies globally to all users.
 # PASSWORD_HINTS_ALLOWED=true
 
 ## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured. Not recommended for publicly-accessible instances
-## as this provides unauthenticated access to potentially sensitive data.
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 
 #########################
@@ -307,34 +348,46 @@
 ## Default: 2592000 (30 days)
 # ICON_CACHE_TTL=2592000
 ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
-## Default: 2592000 (3 days)
+## Default: 259200 (3 days)
 # ICON_CACHE_NEGTTL=259200
 
 ## Icon download timeout
 ## Configure the timeout value when downloading the favicons.
-## The default is 10 seconds, but this could be to low on slower network connections
+## The default is 10 seconds, but this could be too low on slower network connections
 # ICON_DOWNLOAD_TIMEOUT=10
 
-## Icon blacklist Regex
-## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Block HTTP domains/IPs by Regex
+## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
 ## Useful to hide other servers in the local network. Check the WIKI for more details
-## NOTE: Always enclose this regex withing single quotes!
-# ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
+## NOTE: Always enclose this regex within single quotes!
+# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
 
-## Any IP which is not defined as a global IP will be blacklisted.
+## Enabling this will cause the internal HTTP client to refuse to connect to any non-global IP address.
 ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
-# ICON_BLACKLIST_NON_GLOBAL_IPS=true
+# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
 
 ## Client Settings
 ## Enable experimental feature flags for clients.
 ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
+## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled!
 ##
 ## The following flags are available:
-## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
-## - "autofill-v2": Use the new autofill implementation.
-## - "browser-fileless-import": Directly import credentials from other providers without a file.
-## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
+## - "pm-5594-safari-account-switching": Enable account switching in Safari. (Safari >= 2026.2.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Desktop >= 2024.12.0)
+## - "ssh-agent-v2": Enable newer SSH agent support. (Desktop >= 2026.2.1)
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Clients >= 2024.12.0)
+## - "pm-25373-windows-biometrics-v2": Enable the new implementation of biometrics on Windows. (Desktop >= 2025.11.0)
+## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
+## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Android >= 2025.3.0, iOS >= 2025.4.0)
+## - "mutual-tls": Enable the use of mutual TLS on Android (Clients >= 2025.2.0)
+## - "cxp-import-mobile": Enable the import via CXP on iOS (Clients >= 2025.9.2)
+## - "cxp-export-mobile": Enable the export via CXP on iOS (Clients >= 2025.9.2)
+## - "pm-30529-webauthn-related-origins":
+## - "desktop-ui-migration-milestone-1": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-2": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-3": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+## - "desktop-ui-migration-milestone-4": Special feature flag for desktop UI (Desktop >= 2026.2.0)
+# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=
 
 ## Require new device emails. When a user logs in an email is required to be sent.
 ## If sending the email fails the login attempt will fail!!
@@ -357,8 +410,9 @@
 ## Log level
 ## Change the verbosity of the log output
 ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
-## Setting it to "trace" or "debug" would also show logs for mounted
-## routes and static file, websocket and alive requests
+## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
+## For a specific module append a comma separated `path::to::module=log_level`
+## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
 # LOG_LEVEL=info
 
 ## Token for the admin interface, preferably an Argon2 PCH string
@@ -391,6 +445,14 @@
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=
 
+## Allowed connect-src (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
+## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
+## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
+# ALLOWED_CONNECT_SRC=""
+
 ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
 # LOGIN_RATELIMIT_SECONDS=60
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
@@ -404,6 +466,72 @@
 ## KNOW WHAT YOU ARE DOING!
 # ORG_GROUPS_ENABLED=false
 
+## Increase secure note size limit (Know the risks!)
+## Sets the secure note size limit to 100_000 instead of the default 10_000.
+## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
+## KNOW WHAT YOU ARE DOING!
+# INCREASE_NOTE_SIZE_LIMIT=false
+
+## Enforce Single Org with Reset Password Policy
+## Enforce that the Single Org policy is enabled before setting the Reset Password policy
+## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
+## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
+# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
+
+## Prefer IPv6 (AAAA) resolving
+## This settings configures the DNS resolver to resolve IPv6 first, and if not available try IPv4
+## This could be useful in IPv6 only environments.
+# DNS_PREFER_IPV6=false
+
+#####################################
+### SSO settings (OpenID Connect) ###
+#####################################
+
+## Controls whether users can login using an OpenID Connect identity provider
+# SSO_ENABLED=false
+
+## Prevent users from logging in directly without going through SSO
+# SSO_ONLY=false
+
+## On SSO Signup if a user with a matching email already exists make the association
+# SSO_SIGNUPS_MATCH_EMAIL=true
+
+## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover.
+# SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false
+
+## Base URL of the OIDC server (auto-discovery is used)
+##  - Should not include the `/.well-known/openid-configuration` part and no trailing `/`
+##  - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+# SSO_AUTHORITY=https://auth.example.com
+
+## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit).
+# SSO_SCOPES="email profile"
+
+## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth).
+# SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
+
+## Activate PKCE for the Auth Code flow.
+# SSO_PKCE=true
+
+## Regex for additional trusted Id token audience (by default only the client_id is trusted).
+# SSO_AUDIENCE_TRUSTED='^$'
+
+## Set your Client ID and Client Key
+# SSO_CLIENT_ID=11111
+# SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA
+
+## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment.
+# SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
+
+## Use sso only for authentication not the session lifecycle
+# SSO_AUTH_ONLY_NOT_SESSION=false
+
+## Client cache for discovery endpoint. Duration in seconds (0 to disable).
+# SSO_CLIENT_CACHE_EXPIRATION=0
+
+## Log all the tokens, LOG_LEVEL=debug is required
+# SSO_DEBUG_TOKENS=false
+
 ########################
 ### MFA/2FA settings ###
 ########################
@@ -417,15 +545,21 @@
 # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
 
 ## Duo Settings
-## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
+## Otherwise users will need to configure it themselves.
 ## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
 ## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
 ## Then set the following options, based on the values obtained from the last step:
-# DUO_IKEY=<Integration Key>
-# DUO_SKEY=<Secret Key>
+# DUO_IKEY=<Client ID>
+# DUO_SKEY=<Client Secret>
 # DUO_HOST=<API Hostname>
 ## After that, you should be able to follow the rest of the guide linked above,
 ## ignoring the fields that ask for the values that you already configured beforehand.
+##
+## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
+## Duo no longer supports this, but it still works for some integrations.
+## If you aren't sure, leave this alone.
+# DUO_USE_IFRAME=false
 
 ## Email 2FA settings
 ## Email token size
@@ -440,7 +574,7 @@
 ## Maximum attempts before an email token is reset and a new email will need to be sent.
 # EMAIL_ATTEMPTS_LIMIT=3
 ##
-## Setup email 2FA regardless of any organization policy
+## Setup email 2FA on registration regardless of any organization policy
 # EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
 ## Automatically setup email 2FA as fallback provider when needed
 # EMAIL_2FA_AUTO_FALLBACK=false
@@ -457,7 +591,7 @@
 ##
 ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
 ## we allow by default the TOTP code which was valid one step back and one in the future.
-## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## This can however allow attackers to be a bit more lucky with their attempts because there are 3 valid codes.
 ## You can disable this, so that only the current TOTP Code is allowed.
 ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
 ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
@@ -497,7 +631,7 @@
 # SMTP_AUTH_MECHANISM=
 
 ## Server name sent during the SMTP HELO
-## By default this value should be is on the machine's hostname,
+## By default this value should be the machine's hostname,
 ## but might need to be changed in case it trips some anti-spam filters
 # HELO_NAME=
 
@@ -526,7 +660,7 @@
 
 ## Rocket specific settings
 ## See https://rocket.rs/v0.5/guide/configuration/ for more details.
-# ROCKET_ADDRESS=127.0.0.1
+# ROCKET_ADDRESS=0.0.0.0
 ## The default port is 8000, unless running in a Docker container, in which case it is 80.
 # ROCKET_PORT=8000
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}

diff --git a/vaultwarden.spec b/vaultwarden.spec
index 1ca3800..cacc678 100644
--- a/vaultwarden.spec
+++ b/vaultwarden.spec
@@ -9,34 +9,42 @@
 %global rustflags_debuginfo 1
 
 Name:           vaultwarden
-Version:        1.34.2
-Release:        2%{?dist}
+Version:        1.36.0
+Release:        1%{?dist}
 Summary:        Unofficial Bitwarden compatible server
 
 ExcludeArch:    ppc64le s390x
 
 # (Apache-2.0 OR MIT) AND BSD-3-Clause
+# (MIT OR Apache-2.0) AND Apache-2.0
+# (MIT OR Apache-2.0) AND Unicode-3.0
 # 0BSD
 # 0BSD OR MIT OR Apache-2.0
 # AGPL-3.0-only
 # Apache-2.0
+# Apache-2.0 AND ISC
 # Apache-2.0 OR BSL-1.0
 # Apache-2.0 OR ISC OR MIT
 # Apache-2.0 OR MIT
 # Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT
 # BSD-2-Clause OR Apache-2.0 OR MIT
 # BSD-3-Clause
+# BSD-3-Clause AND MIT
 # BSD-3-Clause OR MIT
+# CDLA-Permissive-2.0
 # ISC
-# ISC AND MIT AND OpenSSL
 # MIT
 # MIT OR Apache-2.0
+# MIT OR Apache-2.0 OR BSD-1-Clause
+# MIT OR Apache-2.0 OR LGPL-2.1-or-later
 # MIT OR Apache-2.0 OR Zlib
 # MIT OR Zlib OR Apache-2.0
 # MPL-2.0
+# Unicode-3.0
 # Unlicense OR MIT
+# Zlib
 # Zlib OR Apache-2.0 OR MIT
-License:        AGPL-3.0-only AND BSD-3-Clause AND 0BSD AND Apache-2.0 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND BSD-3-Clause AND ISC AND MIT AND MPL-2.0 AND (Unlicense OR MIT) AND (Zlib OR Apache-2.0 OR MIT) AND (ISC AND MIT AND OpenSSL)
+License:        0BSD AND AGPL-3.0-only AND Apache-2.0 AND BSD-3-Clause AND CDLA-Permissive-2.0 AND ISC AND MIT AND MPL-2.0 AND Unicode-3.0 AND Zlib AND (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT) AND (BSD-2-Clause OR Apache-2.0 OR MIT) AND (BSD-3-Clause OR MIT) AND (MIT OR Apache-2.0 OR BSD-1-Clause) AND (MIT OR Apache-2.0 OR LGPL-2.1-or-later) AND (MIT OR Apache-2.0 OR Zlib) AND (Unlicense OR MIT)
 # LICENSE.dependencies contains a full license breakdown
 
 URL:            https://github.com/dani-garcia/vaultwarden
@@ -45,6 +53,12 @@ Source1:        vaultwarden-%{version}-vendor.tar.xz
 Source2:        vaultwarden.service
 Source3:        vaultwarden.cfg
 Source4:        vaultwarden.sysusers
+Source99:       create-vendor-tarball.sh
+
+# EL 9.8/10.2 ship an older Rust toolchain (1.92.0) vs 1.93.0 desired
+%if 0%{?rhel}
+Patch0:         lower-rust-version.patch
+%endif
 
 ExcludeArch:    i686
 
@@ -78,7 +92,6 @@ Requires:       %{name}-web
 %build
 export VW_VERSION=%{version}
 %cargo_build -f sqlite,mysql,postgresql
-%cargo_build -f sqlite
 %{cargo_license_summary}
 %{cargo_license} > LICENSE.dependencies
 %{cargo_vendor_manifest}
@@ -144,6 +157,17 @@ install -Dp %{SOURCE2} %{buildroot}%{_unitdir}/%{name}.service
 
 
 %changelog
+* Wed Jun 03 2026 Jonathan Wright <jonathan@almalinux.org> - 1.36.0-1
+- update to 1.36.0 rhbz#2368636
+- Fix bitwarden mobile app not working rhbz#2437599
+- Fix CVE-2025-58160 vaultwarden: Tracing log pollution
+- Fix CVE-2026-25537 vaultwarden: jsonwebtoken has Type Confusion that leads to potential authorization bypass
+- Fix CVE-2026-25727 vaultwarden: time affected by a stack exhaustion denial of service attack
+- Fix CVE-2026-26012 vaultwarden: Information disclosure due to bypassed collection permissions
+- Fix CVE-2026-27898 vaultwarden: Information disclosure via API partial update
+- Fix CVE-2026-27803 vaultwarden: Unauthorized collection management operations due to improper access control
+- Fix CVE-2026-27801 vaultwarden: Two-factor authentication bypass allows unauthorized access and data deletion
+
 * Sat Jan 17 2026 Fedora Release Engineering <releng@fedoraproject.org> - 1.34.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild