Update Vaultwarden to 1.35.4

[christiaanwesterbeek]

I'm running Vaultwarden via Umbrel (current version 1.34.3) and hitting intermittent "invalid master password" errors on the Bitwarden iOS app, despite copy-pasting the correct password. Now it's also happening in the Brave browser extension on Mac. I have to log out and back in with the same password to make it work temporarily. This is getting annoying and disrupts workflow.

To fix this I want to request an upgrade to the latest Vaultwarden release (1.35.4). This should resolve compatibility issues with official Bitwarden clients (mobile and extensions).

Key Bug Fixes in 1.35.x (Relevant to My Issue and Others)

• Fixed refresh token parsing causing unexpected logouts after upgrades.
• Fixed authentication compatibility for mobile apps, including handling of MasterPasswordHash field.
• Fixed email 2FA with auth requests, especially for mobile clients.
• Fixed User API Key login compatibility.
• Fixed SSO callback and user data handling during authentication.

Security Fixes Between 1.34.3 and 1.35.4

• GHSA-w9f8-m526-h7fh: Fixed vulnerability allowing access to another user's cipher via UUID.
• GHSA-h4hq-rgvh-wh27 and GHSA-r32r-j5jq-3w4m: Fixed vulnerability allowing manager-level users to modify unpermitted collections.
• GHSA-h265-g7rm-h337: Fixed vulnerability allowing organization members to access items from unassigned collections.

Thanks for considering.

[al-lac]

Hey @christiaanwesterbeek, thanks for notifying us about this, we appreciate it 🤝

There is already a PR open for this update #4417, sadly we cannot go live with it just yet as it would break bitwarden due to the enforcement of HTTPS in recent versions of vaultwarden.

Will keep you posted once we have some updates for this here.