1.32.0

Security Fixes

This release has several CVE Reports fixed and we recommend everybody to update to the latest version as soon as possible.

• CVE-2024-39924 Fixed via #4715
• CVE-2024-39925 Fixed via #4837
• CVE-2024-39926 Fixed via #4737

Other changes

• Updated web-vault to v2024.6.2
• Fixed issues with password reset enrollment by rolling back a web-vault commit

What's Changed

• use a custom plan of enterprise tier to fix limits by @stefan0xC in #4726
• chore: Dockerfile to Remove port 3012 by @calvin-li-developer in #4725
• Fix bug where secureNotes is empty by @cobyge in #4730
• Improved HTTP client by @dani-garcia in #4740
• Update admin interface by @BlackDex in #4737
• Fix for RSA Keys which are read only by @BlackDex in #4744
• Fix Email 2FA login on native app by @BlackDex in #4762
• Update crates & fix crate vulnerability by @dfunkt in #4771
• Fix Dockerfile linter warnings by @dfunkt in #4763
• allow re-invitations of existing users by @stefan0xC in #4768
• Allow to override log level for specific target by @Timshel in #4305
• Add support for MFA with Duo's Universal Prompt by @0x0fbc in #4637
• Allow to increase the note size to 100_000 by @BlackDex in #4772
• Update Rust, Crates and GHA by @BlackDex in #4783
• Duo: use the formatted db email by @Timshel in #4779
• Update rust-toolchain.toml to 1.80.0 by @dfunkt in #4784
• fix issue with adding ciphers to organizations on native ios app by @stefan0xC in #4800
• Rewrite the Push Notifications section in the configuration template by @dfunkt in #4805
• Secure send file uploads by @BlackDex in #4810
• make access_all optional by @stefan0xC in #4812
• Remove lowercase conversion for featureStates by @dfunkt in #4820
• Fix mail::send_incomplete_2fa_login panic issue by @dfunkt in #4792
• Update crates, web-vault and fixes by @BlackDex in #4823
• Updated web-vault to v2024.6.2b by @BlackDex in #4826
• Update Rust to 1.80.1 by @dfunkt in #4831
• Fix data disclosure on organization endpoints by @BlackDex in #4837

New Contributors

• @cobyge made their first contribution in #4730
• @0x0fbc made their first contribution in #4637

Full Changelog: 1.31.0...1.32.0

1.31.0

Major changes and New Features

• Initial support for the beta releases of the new native mobile apps
• Removed support for WebSocket traffic on port 3012, as it's been integrated on the main HTTP port for a few releases
• Updated included web vault to 2024.5.1

General mention

Bitwarden has changed the push API endpoints which affects the EU region endpoint users.
So if you use the push functionality and use the EU region you need to make some changes.
You have to update push.bitwarden.eu to api.bitwarden.eu.
This is also an issue with any previous version of Vaultwarden.

What's Changed

• chore: remove repetitive words by @one230six in #4422
• Fix comment in events.rs by @KrappRamiro in #4408
• Improve JWT RSA key initialization and avoid saving public key by @dani-garcia in #4085
• Remove custom WebSocket code by @BlackDex in #4001
• refactor: replace panic with a graceful exit by @tessus in #4402
• Small improvements around email change by @Timshel in #4415
• Change timestamp data type. by @gzfrozen in #4355
• Fix #3624: fix manager permission within groups by @matlink in #3754
• automatically use email address as 2fa provider by @stefan0xC in #4317
• fix: typos by @testwill in #4440
• Update chrono and sqlite by @BlackDex in #4436
• Update Rust and crates by @BlackDex in #4445
• Use async verify for Yubikey by @dani-garcia in #4448
• update web-vault to v2024.3.1 (new vertical layout) by @stefan0xC in #4468
• Update crates and some Clippy fixes by @BlackDex in #4475
• Update Key Rotation web-vault v2024.3.x by @BlackDex in #4446
• Update Crate and Rust by @BlackDex in #4522
• Implement custom DNS resolver by @dani-garcia in #3988
• Add extra (unsupported) container build arch's by @BlackDex in #4524
• Pass in collection ids to notifier when sharing cipher. by @kristof-mattei in #4517
• improve access to collections via groups by @stefan0xC in #4441
• fix emergency access invites by @stefan0xC in #4337
• Some fixes for the new mobile apps by @dani-garcia in #4526
• Update Rust, crates and web-vault by @BlackDex in #4558
• Improve Commentary Aesthetics by @rich-purnell in #4549
• Optimize Dockerfiles by @dfunkt in #4532
• also delete organization_api_key when deleting organizations by @stefan0xC in #4557
• Fix public api for domains with path prefix by @FDHoho007 in #4500
• Update crates by @BlackDex in #4587
• Fix web-vault version in Docker(files/Settings) by @dfunkt in #4575
• Update Alpine to version 3.20 by @dfunkt in #4583
• differentiate external groups by organization id by @stefan0xC in #4586
• Remove old knowndevice route by @Timshel in #4578
• Update admin interface dependencies by @BlackDex in #4581
• Update rust and remove unused header values by @dani-garcia in #4645
• Update crates, web-vault and GHA by @BlackDex in #4648
• Fix some nightly build errors by @dani-garcia in #4657
• Fix some more nightly errors and remove lint that will become an error by default by @dani-garcia in #4661
• Change API and structs to camelCase by @dani-garcia in #4386
• Fix cipher creation on new android app by @dani-garcia in #4670
• Remove mimalloc workaround by @dfunkt in #4606
• Change some missing PascalCase keys by @dani-garcia in #4671
• Fix collections and native app issue by @BlackDex in #4685
• Fix duplicate folder creations during import by @BlackDex in #4702
• Remove duplicate registry step by @dfunkt in #4703
• add group support for Cipher::get_collections() by @stefan0xC in #4592
• Switch registry cache compression algorithm to zstd by @dfunkt in #4704
• Update crates and web-vault by @BlackDex in #4714
• Some fixes for emergency access by @BlackDex in #4715

New Contributors

• @one230six made their first contribution in #4422
• @KrappRamiro made their first contribution in #4408
• @testwill made their first contribution in #4440
• @kristof-mattei made their first contribution in #4517
• @rich-purnell made their first contribution in #4549
• @dfunkt made their first contribution in #4532
• @FDHoho007 made their first contribution in #4500

Full Changelog: 1.30.5...1.31.0

1.30.5

What's Changed

• fix: web API call for jquery 3.7.1 by @calvin-li-developer in #4400

New Contributors

• @calvin-li-developer made their first contribution in #4400

Full Changelog: 1.30.4...1.30.5

1.30.4

⚠️ Note: The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don't require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It's recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won't receive new features and will be removed in the next release.

What's Changed

• Update crates to fix new builds by @BlackDex in #4308
• Add Kubernetes environment detection by @BlackDex in #4290
• Update GHA Workflows by @BlackDex in #4309
• Update Rust, crates and web-vault by @BlackDex in #4328
• Change the codegen-units for low resources by @BlackDex in #4336
• Fix env templateto ensure compatibility with systemd's EnvironmentFile parsing by @seiuneko in #4315
• Update crates, GHA and a Python script by @BlackDex in #4357

New Contributors

• @seiuneko made their first contribution in #4315

Full Changelog: 1.30.3...1.30.4

1.30.3

This is a minor release to fix some issues with push notification device registration and docker healthcheck.

⚠️ Note: The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don't require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It's recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won't receive new features and will be removed in the next release.

What's Changed

• fix push device registration by @stefan0xC in #4297
• Fix healthcheck when using .env file by @BlackDex in #4299

Full Changelog: 1.30.2...1.30.3

1.30.2

⚠️ Note: The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don't require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It's recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won't receive new features and will be removed in the next release.

What's Changed

• Prevent generating an error during ws close by @BlackDex in #4127
• Update Rust, Crates, Profile and Actions by @BlackDex in #4126
• Several small fixes for open issues by @BlackDex in #4143
• Fix the version string by @BlackDex in #4153
• Decrease JWT Refresh/Auth token by @BlackDex in #4163
• Update crates by @BlackDex in #4173
• Add additional build target which optimizes for size by @gladiac in #4096
• Update web-vault to v2023.12.0 by @BlackDex in #4201
• Update Rust and Crates by @BlackDex in #4211
• Fix Single Org Policy check by @BlackDex in #4207
• Allow customizing the featureStates by @PKizzle in #4168
• Fix #3413: push to users accessing the collections using groups by @matlink in #3757
• US or EU Data Region Selection by @toto-xoxo in #3752
• enforce 2FA policy on removal of second factor and login by @stefan0xC in #3803
• improve emergency access when not enabled by @stefan0xC in #4227
• Update crates and fix icon issue by @BlackDex in #4237
• Bump h2 from 0.3.23 to 0.3.24 by @dependabot in #4260
• Fix bulk collection deletion by @BlackDex in #4257
• fix: use black text for update badge (better contrast) by @tessus in #4245
• prevent side effects if groups are disabled by @stefan0xC in #4265
• Update crates, web-vault to 2024.1.2 and GHA by @BlackDex in #4275
• Return 404 when user public_key is empty by @Timshel in #4271
• Improve file limit handling by @dani-garcia in #4242
• Fix attachment upload size check by @BlackDex in #4282
• err on invalid feature flag by @stefan0xC in #4263
• register missing push devices at login by @stefan0xC in #3792
• Update env template file by @gzfrozen in #4276

New Contributors

• @gladiac made their first contribution in #4096
• @PKizzle made their first contribution in #4168
• @matlink made their first contribution in #3757
• @toto-xoxo made their first contribution in #3752
• @Timshel made their first contribution in #4271
• @gzfrozen made their first contribution in #4276

Full Changelog: 1.30.1...1.30.2

1.30.1

This is a minor release to fix some issues with the Login with device feature, and restore the alpine docker tag that was missing on the latest release.

⚠️ Note: The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don't require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It's recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won't receive new features and will be removed in a future release.

What's Changed

• Fix missing alpine tag during buildx bake by @BlackDex in #4043
• Disable autofill-v2 by @BlackDex in #4056
• Add Protected Actions Check by @BlackDex in #4067
• Update crates by @BlackDex in #4074

Full Changelog: 1.30.0...1.30.1

1.30.0

⚠️ Note: The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don't require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It's recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won't receive new features and will be removed in a future release.

Major changes and New Features

• Added passkey support, allowing the browser extensions to store and use your passkeys, make sure the extension is updated to version 2023.10.0 or newer for passkey support.
• Updated web vault to 2023.10.0.
• Fixed crashes in ARMv6 devices
• Fixed crashes when trying to create/edit a cipher in the mobile applications.

What's Changed

• Update Rust and Crates by @BlackDex in #3808
• update web-vault to v2023.8.2 by @stefan0xC in #3821
• Fix Login With Device without MasterPassword by @BlackDex in #3831
• Update GitHub Workflow by @BlackDex in #3910
• Fix arm builds by @BlackDex in #3911
• Fix typos by @tuhanayim in #3959
• csp: rename anonaddy.com to addy.io by @stefan0xC in #3950
• filter handlebars logs by @stefan0xC in #3859
• Remove unnecessary variable clone by @mvalois in #3981
• README.md: Fix grammar nit by @AndreasHGK in #3965
• Fix small issues by @BlackDex in #3964
• Adds LastActive on /admin/users API route by @mvalois in #3951
• Reopen log file on SIGHUP by @tobiasmboelz in #3909
• Fix External ID not set during DC Sync by @BlackDex in #3804
• New config option disable email change by @admav in #3986
• 2FA Confirmation Code Email subject line change to fix triggering Google spam blocker by @aureateflux in #3572
• Implement cipher key encryption by @dani-garcia in #3990
• Container building changes by @BlackDex in #3958
• Fix issue with MariaDB/MySQL migrations by @BlackDex in #3994
• feat: Working passkeys storage by @GeekCornerGH in #4025
• ci: add trivy workflow by @mightyBroccoli in #3997
• Fix importing Bitwarden exports by @BlackDex in #4030

New Contributors

• @tuhanayim made their first contribution in #3959
• @mvalois made their first contribution in #3981
• @AndreasHGK made their first contribution in #3965
• @tobiasmboelz made their first contribution in #3909
• @admav made their first contribution in #3986
• @aureateflux made their first contribution in #3572
• @mightyBroccoli made their first contribution in #3997

Full Changelog: 1.29.2...1.30.0

1.29.2

Minor release to fix an issue forcing user to set amaster password when logging in even when it's already set

What's Changed

• Fix .env.template file by @BlackDex in #3734
• Fix UserOrg status during LDAP Import by @BlackDex in #3740
• Update images to Bookworm and PQ15 and Rust v1.71 by @BlackDex in #3573
• Implement "login with device" by @quexten in #3592
• chore: Bump web vault to v2023.7.1 and bump Rust by @GeekCornerGH in #3769
• Optimized Favicon downloading by @BlackDex in #3751
• add UserDecryptionOptions to login response by @stefan0xC in #3813
• add new secretsmanager plan for web-v2023.8.x by @stefan0xC in #3797
• Allow Authorization header for Web Sockets by @BlackDex in #3806
• Update admin interface by @BlackDex in #3730

Full Changelog: 1.29.1...1.29.2

1.29.1

Minor release to fix some issues with organization API key generation when using PostgreSQL

What's Changed

• Fix Org API Key generation on PosgreSQL by @BlackDex in #3678
• feat: Add support for forwardemail by @GeekCornerGH in #3686
• Fix some external_id issues by @BlackDex in #3690
• Remove debug code during attachment download by @BlackDex in #3704

Full Changelog: 1.29.0...1.29.1