There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

"PSA: Update Vaultwarden as soon as possible"

See this post from another website for more context

A new version (1.32.0) of Vaultwarden is out with security fixes:

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

CVE-2024-39924 Fixed via

CVE-2024-39925 Fixed via

CVE-2024-39926 Fixed via

Release page

anzo ,

Not to flame on anyone, and without reading the details on the specific CVE. But, to share as an advice: this reason is why I prefer keepass + syncthing for my needs. Security for a full blown web app is not trivial and has a bigger “attack surface” than a kdbx file moving p2p through my devices via syncthing.

BlueBockser ,

syncthing also relies on a web server for device discovery, it’s just that you’re probably using someone else’s server instead of hosting your own.

Correct me if I’m wrong, but I also think that Vaultwarden itself doesn’t have access to the unencrypted password database. In that sense it’s E2EE similar to KeePass, the only difference being that KeePass is a desktop app and Vaultwarden a web app.

problembasedperson ,

You can use Syncthing without relays or discovery servers.

kolorafa , (edited )

Explain how can you use KeePass+Syncthing with 10-50 people (possibly different groups for different passwords) having different sets of access level while maintaining sane ease of use?

The passwords are encrypted in the first place so the security for them is only on the client side.

khorak ,

I do not have to share passwords with 10-50 people and neither did the op imply this. I am having trouble figuring out the reasoning behind your message. Why would this be a normal use case?

MangoPenguin ,
@MangoPenguin@lemmy.blahaj.zone avatar

Security for a full blown web app is not trivial and has a bigger “attack surface” than a kdbx file moving p2p through my devices via syncthing.

Absolutely.

My Vaultwarden instance is only accessible via LAN or VPN though, I don’t think I’d want to expose it to the internet.

synapse1278 ,
@synapse1278@lemmy.world avatar

Watchtower took care of that for me 👍

milan ,
@milan@discuss.tchncs.de avatar

updated a little while ago due to this post… as the release number is not a .1, i wasn’t expecting this addressing cves. thanks :)

sudneo ,

Thanks for the head’s up!

slym ,
@slym@lemmy.ca avatar

Thanks

N1ghtstalk3r ,
@N1ghtstalk3r@lemmy.world avatar

Thanks for the post OP, updating my VaultWarden docker instance ASAP.

JASN_DE ,

Docker image is already updated.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •