this post was submitted on 12 Aug 2024
130 points (98.5% liked)

Selfhosted

38707 readers
677 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
130
"PSA: Update Vaultwarden as soon as possible" (lemmy.ca)
submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]
7 comments fedilink hide all child comments
 

See this post from another website for more context

A new version (1.32.0) of Vaultwarden is out with security fixes:

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

CVE-2024-39924 Fixed via #4715

CVE-2024-39925 Fixed via #4837

CVE-2024-39926 Fixed via #4737

Release page

top 7 comments
sorted by: hot top controversial new old
[–] [email protected] 15 points 1 month ago

Docker image is already updated.

[–] [email protected] 6 points 1 month ago

Thanks for the post OP, updating my VaultWarden docker instance ASAP.

[–] [email protected] 2 points 1 month ago

Thanks

[–] [email protected] 2 points 1 month ago

Thanks for the head's up!

[–] [email protected] 2 points 1 month ago (2 children)

Not to flame on anyone, and without reading the details on the specific CVE. But, to share as an advice: this reason is why I prefer keepass + syncthing for my needs. Security for a full blown web app is not trivial and has a bigger "attack surface" than a kdbx file moving p2p through my devices via syncthing.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

Explain how can you use KeePass+Syncthing with 10-50 people (possibly different groups for different passwords) having different sets of access level while maintaining sane ease of use?

The passwords are encrypted in the first place so the security for them is only on the client side.

[–] [email protected] 2 points 1 month ago

syncthing also relies on a web server for device discovery, it's just that you're probably using someone else's server instead of hosting your own.

Correct me if I'm wrong, but I also think that Vaultwarden itself doesn't have access to the unencrypted password database. In that sense it's E2EE similar to KeePass, the only difference being that KeePass is a desktop app and Vaultwarden a web app.