Use an older version of mariadb to prevent a panic (#6453)

* Use an older version of mariadb to prevent a panic The Debian builds use a newer version of libmariadb which causes Diesel to panic on certain queries. This commit prevents this by using an older version of libmariadb which doesn't cause this panic. The Alpine based versions use a patched version which reverts the commit in the libmariadb library which causes this panic. In the future this might be fixed in Diesel it self (https://github.com/dani-garcia/vaultwarden/issues/6416#issuecomment-3508822097), but until then, we use an older version of the library. Fixes #6416 Signed-off-by: BlackDex <black.dex@gmail.com> * Update GHA versions Signed-off-by: BlackDex <black.dex@gmail.com> * Resolve docker build check issue Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
1 week ago · f9751a0a1d
5 changed files with 99 additions and 67 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -53,7 +53,7 @@ jobs:

    steps:
      - name: Initialize QEMU binfmt support
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
        with:
          platforms: "arm64,arm"

--- a/Cargo.lock
+++ b/Cargo.lock
@ -161,9 +161,9 @@ dependencies = [

 [[package]]
 name = "async-compression"
-version = "0.4.32"
+version = "0.4.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5a89bce6054c720275ac2432fbba080a66a2106a44a1b804553930ca6909f4e0"
+checksum = "93c1f86859c1af3d514fa19e8323147ff10ea98684e6c7b307912509f50e67b2"
 dependencies = [
 "compression-codecs",
 "compression-core",
@ -361,9 +361,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"

 [[package]]
 name = "aws-config"
-version = "1.8.8"
+version = "1.8.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37cf2b6af2a95a20e266782b4f76f1a5e12bf412a9db2de9c1e9123b9d8c0ad8"
+checksum = "1856b1b48b65f71a4dd940b1c0931f9a7b646d4a924b9828ffefc1454714668a"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -391,9 +391,9 @@ dependencies = [

 [[package]]
 name = "aws-credential-types"
-version = "1.2.8"
+version = "1.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "faf26925f4a5b59eb76722b63c2892b1d70d06fa053c72e4a100ec308c1d47bc"
+checksum = "86590e57ea40121d47d3f2e131bfd873dea15d78dc2f4604f4734537ad9e56c4"
 dependencies = [
 "aws-smithy-async",
 "aws-smithy-runtime-api",
@ -403,9 +403,9 @@ dependencies = [

 [[package]]
 name = "aws-runtime"
-version = "1.5.12"
+version = "1.5.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfa006bb32360ed90ac51203feafb9d02e3d21046e1fd3a450a404b90ea73e5d"
+checksum = "8fe0fd441565b0b318c76e7206c8d1d0b0166b3e986cf30e890b61feb6192045"
 dependencies = [
 "aws-credential-types",
 "aws-sigv4",
@ -427,9 +427,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-sso"
-version = "1.86.0"
+version = "1.89.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a0abbfab841446cce6e87af853a3ba2cc1bc9afcd3f3550dd556c43d434c86d"
+checksum = "a9c1b1af02288f729e95b72bd17988c009aa72e26dcb59b3200f86d7aea726c9"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -449,9 +449,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-ssooidc"
-version = "1.89.0"
+version = "1.91.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "695dc67bb861ccb8426c9129b91c30e266a0e3d85650cafdf62fcca14c8fd338"
+checksum = "4e8122301558dc7c6c68e878af918880b82ff41897a60c8c4e18e4dc4d93e9f1"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -471,9 +471,9 @@ dependencies = [

 [[package]]
 name = "aws-sdk-sts"
-version = "1.88.0"
+version = "1.91.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d30990923f4f675523c51eb1c0dec9b752fb267b36a61e83cbc219c9d86da715"
+checksum = "8f8090151d4d1e971269957b10dbf287bba551ab812e591ce0516b1c73b75d27"
 dependencies = [
 "aws-credential-types",
 "aws-runtime",
@ -494,9 +494,9 @@ dependencies = [

 [[package]]
 name = "aws-sigv4"
-version = "1.3.5"
+version = "1.3.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bffc03068fbb9c8dd5ce1c6fb240678a5cffb86fb2b7b1985c999c4b83c8df68"
+checksum = "c35452ec3f001e1f2f6db107b6373f1f48f05ec63ba2c5c9fa91f07dad32af11"
 dependencies = [
 "aws-credential-types",
 "aws-smithy-http",
@ -527,15 +527,16 @@ dependencies = [

 [[package]]
 name = "aws-smithy-http"
-version = "0.62.4"
+version = "0.62.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3feafd437c763db26aa04e0cc7591185d0961e64c61885bece0fb9d50ceac671"
+checksum = "445d5d720c99eed0b4aa674ed00d835d9b1427dd73e04adaf2f94c6b2d6f9fca"
 dependencies = [
 "aws-smithy-runtime-api",
 "aws-smithy-types",
 "bytes",
 "bytes-utils",
 "futures-core",
+ "futures-util",
 "http 0.2.12",
 "http 1.3.1",
 "http-body 0.4.6",
@ -547,9 +548,9 @@ dependencies = [

 [[package]]
 name = "aws-smithy-json"
-version = "0.61.6"
+version = "0.61.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cff418fc8ec5cadf8173b10125f05c2e7e1d46771406187b2c878557d4503390"
+checksum = "2db31f727935fc63c6eeae8b37b438847639ec330a9161ece694efba257e0c54"
 dependencies = [
 "aws-smithy-types",
 ]
@ -575,9 +576,9 @@ dependencies = [

 [[package]]
 name = "aws-smithy-runtime"
-version = "1.9.3"
+version = "1.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40ab99739082da5347660c556689256438defae3bcefd66c52b095905730e404"
+checksum = "0bbe9d018d646b96c7be063dd07987849862b0e6d07c778aad7d93d1be6c1ef0"
 dependencies = [
 "aws-smithy-async",
 "aws-smithy-http",
@ -638,18 +639,18 @@ dependencies = [

 [[package]]
 name = "aws-smithy-xml"
-version = "0.60.11"
+version = "0.60.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9c34127e8c624bc2999f3b657e749c1393bedc9cd97b92a804db8ced4d2e163"
+checksum = "eab77cdd036b11056d2a30a7af7b775789fb024bf216acc13884c6c97752ae56"
 dependencies = [
 "xmlparser",
 ]

 [[package]]
 name = "aws-types"
-version = "1.3.9"
+version = "1.3.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2fd329bf0e901ff3f60425691410c69094dc2a1f34b331f37bfc4e9ac1565a1"
+checksum = "d79fb68e3d7fe5d4833ea34dc87d2e97d26d3086cb3da660bb6b1f76d98680b6"
 dependencies = [
 "aws-credential-types",
 "aws-smithy-async",
@ -919,9 +920,9 @@ dependencies = [

 [[package]]
 name = "cc"
-version = "1.2.43"
+version = "1.2.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "739eb0f94557554b3ca9a86d2d37bebd49c5e6d0c1d2bda35ba5bdac830befc2"
+checksum = "35900b6c8d709fb1d854671ae27aeaa9eec2f8b01b364e1619a40da3e6fe2afe"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@ -993,9 +994,9 @@ checksum = "b9e769b5c8c8283982a987c6e948e540254f1058d5a74b8794914d4ef5fc2a24"

 [[package]]
 name = "compression-codecs"
-version = "0.4.31"
+version = "0.4.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef8a506ec4b81c460798f572caead636d57d3d7e940f998160f52bd254bf2d23"
+checksum = "680dc087785c5230f8e8843e2e57ac7c1c90488b6a91b88caa265410568f441b"
 dependencies = [
 "brotli",
 "compression-core",
@ -1007,9 +1008,9 @@ dependencies = [

 [[package]]
 name = "compression-core"
-version = "0.4.29"
+version = "0.4.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e47641d3deaf41fb1538ac1f54735925e275eaf3bf4d55c81b137fba797e5cbb"
+checksum = "3a9b614a5787ef0c8802a55766480563cb3a93b435898c422ed2a359cf811582"

 [[package]]
 name = "concurrent-queue"
@ -2414,7 +2415,7 @@ dependencies = [
 "http 1.3.1",
 "hyper 1.7.0",
 "hyper-util",
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "rustls-native-certs",
 "rustls-pki-types",
 "tokio",
@ -2656,9 +2657,9 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"

 [[package]]
 name = "iri-string"
-version = "0.7.8"
+version = "0.7.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
+checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397"
 dependencies = [
 "memchr",
 "serde",
@ -2791,7 +2792,7 @@ dependencies = [
 "nom 8.0.0",
 "percent-encoding",
 "quoted_printable",
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "rustls-native-certs",
 "serde",
 "socket2 0.6.1",
@ -3113,11 +3114,10 @@ dependencies = [

 [[package]]
 name = "num-bigint-dig"
-version = "0.8.4"
+version = "0.8.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
+checksum = "82c79c15c05d4bf82b6f5ef163104cc81a760d8e874d38ac50ab67c8877b647b"
 dependencies = [
- "byteorder",
 "lazy_static",
 "libm",
 "num-integer",
@ -3318,9 +3318,9 @@ dependencies = [

 [[package]]
 name = "openssl"
-version = "0.10.74"
+version = "0.10.75"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654"
+checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
 dependencies = [
 "bitflags",
 "cfg-if",
@ -3359,9 +3359,9 @@ dependencies = [

 [[package]]
 name = "openssl-sys"
-version = "0.9.110"
+version = "0.9.111"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2"
+checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321"
 dependencies = [
 "cc",
 "libc",
@ -3881,7 +3881,7 @@ dependencies = [
 "quinn-proto",
 "quinn-udp",
 "rustc-hash",
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "socket2 0.6.1",
 "thiserror 2.0.17",
 "tokio",
@ -3901,7 +3901,7 @@ dependencies = [
 "rand 0.9.2",
 "ring",
 "rustc-hash",
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "rustls-pki-types",
 "slab",
 "thiserror 2.0.17",
@ -3926,9 +3926,9 @@ dependencies = [

 [[package]]
 name = "quote"
-version = "1.0.41"
+version = "1.0.42"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
+checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
 dependencies = [
 "proc-macro2",
 ]
@ -4162,7 +4162,7 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "quinn",
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "rustls-native-certs",
 "rustls-pki-types",
 "serde",
@ -4433,9 +4433,9 @@ dependencies = [

 [[package]]
 name = "rustls"
-version = "0.23.34"
+version = "0.23.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a9586e9ee2b4f8fab52a0048ca7334d7024eef48e2cb9407e3497bb7cab7fa7"
+checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f"
 dependencies = [
 "log",
 "once_cell",
@ -4560,9 +4560,9 @@ dependencies = [

 [[package]]
 name = "schemars"
-version = "1.0.4"
+version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82d20c4491bc164fa2f6c5d44565947a52ad80b9505d8e36f8d54c27c739fcd0"
+checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289"
 dependencies = [
 "dyn-clone",
 "ref-cast",
@ -4788,7 +4788,7 @@ dependencies = [
 "indexmap 1.9.3",
 "indexmap 2.12.0",
 "schemars 0.9.0",
- "schemars 1.0.4",
+ "schemars 1.1.0",
 "serde_core",
 "serde_json",
 "serde_with_macros",
@ -5049,9 +5049,9 @@ dependencies = [

 [[package]]
 name = "syn"
-version = "2.0.108"
+version = "2.0.110"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
+checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
 dependencies = [
 "proc-macro2",
 "quote",
@ -5309,7 +5309,7 @@ version = "0.26.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
 dependencies = [
- "rustls 0.23.34",
+ "rustls 0.23.35",
 "tokio",
 ]

@ -5338,9 +5338,9 @@ dependencies = [

 [[package]]
 name = "tokio-util"
-version = "0.7.16"
+version = "0.7.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14307c986784f72ef81c89db7d9e28d6ac26d16213b109ea501696195e6e3ce5"
+checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594"
 dependencies = [
 "bytes",
 "futures-core",
@ -5972,9 +5972,9 @@ dependencies = [

 [[package]]
 name = "webpki-roots"
-version = "1.0.3"
+version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32b130c0d2d49f8b6889abc456e795e82525204f27c42cf767cf0d7734e089b8"
+checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e"
 dependencies = [
 "rustls-pki-types",
 ]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -80,7 +80,7 @@ dashmap = "6.1.0"
 # Async futures
 futures = "0.3.31"
 tokio = { version = "1.48.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] }
-tokio-util = { version = "0.7.16", features = ["compat"]}
+tokio-util = { version = "0.7.17", features = ["compat"]}

 # A generic serialization/deserialization framework
 serde = { version = "1.0.228", features = ["derive"] }
@ -161,7 +161,7 @@ cookie = "0.18.1"
 cookie_store = "0.22.0"

 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.74"
+openssl = "0.10.75"

 # CLI argument parsing
 pico-args = "0.5.0"
@ -197,8 +197,8 @@ opendal = { version = "0.54.1", features = ["services-fs"], default-features = f

 # For retrieving AWS credentials, including temporary SSO credentials
 anyhow = { version = "1.0.100", optional = true }
-aws-config = { version = "1.8.8", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
-aws-credential-types = { version = "1.2.8", optional = true }
+aws-config = { version = "1.8.10", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+aws-credential-types = { version = "1.2.9", optional = true }
 aws-smithy-runtime-api = { version = "1.9.2", optional = true }
 http = { version = "1.3.1", optional = true }
 reqsign = { version = "0.16.5", optional = true }
--- a/docker/Dockerfile.debian
+++ b/docker/Dockerfile.debian
@ -52,6 +52,14 @@ ENV DEBIAN_FRONTEND=noninteractive \
    CARGO_HOME="/root/.cargo" \
    USER="root"

+# Force the install of an older MariaDB library to prevent a Diesel panic
+# See https://github.com/dani-garcia/vaultwarden/issues/6416
+RUN echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
+    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
+    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot
+
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@ -171,11 +179,19 @@ ENV ROCKET_PROFILE="release" \

 # Create data folder and Install needed libraries
 RUN mkdir /data && \
+    # Force the install of an older MariaDB library to prevent a Diesel panic
+    # See https://github.com/dani-garcia/vaultwarden/issues/6416
+    echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
+    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
+    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot && \
+    # Continue with normal install
    apt-get update && apt-get install -y \
        --no-install-recommends \
        ca-certificates \
        curl \
-        libmariadb-dev \
+        libmariadb3 \
        libpq5 \
        openssl && \
    apt-get clean && \
--- a/docker/Dockerfile.j2
+++ b/docker/Dockerfile.j2
@ -70,6 +70,14 @@ ENV DEBIAN_FRONTEND=noninteractive \

 {% if base == "debian" %}

+# Force the install of an older MariaDB library to prevent a Diesel panic
+# See https://github.com/dani-garcia/vaultwarden/issues/6416
+RUN echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
+    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
+    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot
+
 # Install clang to get `xx-cargo` working
 # Install pkg-config to allow amd64 builds to find all libraries
 # Install git so build.rs can determine the correct version
@ -208,11 +216,19 @@ ENV ROCKET_PROFILE="release" \
 # Create data folder and Install needed libraries
 RUN mkdir /data && \
 {% if base == "debian" %}
+    # Force the install of an older MariaDB library to prevent a Diesel panic
+    # See https://github.com/dani-garcia/vaultwarden/issues/6416
+    echo "deb http://snapshot.debian.org/archive/debian/20250707T084701Z/ trixie main" > /etc/apt/sources.list.d/snapshot.list && \
+    echo "Acquire::Check-Valid-Until false;" > etc/apt/apt.conf.d/AllowSnapshot && \
+    echo 'Package: libmariadb libmariadb3 libmariadb-dev mariadb*' > /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin: origin "snapshot.debian.org"' >> /etc/apt/preferences.d/mariadb-snapshot && \
+    echo 'Pin-Priority: 1001' >> /etc/apt/preferences.d/mariadb-snapshot && \
+    # Continue with normal install
    apt-get update && apt-get install -y \
        --no-install-recommends \
        ca-certificates \
        curl \
-        libmariadb-dev \
+        libmariadb3 \
        libpq5 \
        openssl && \
    apt-get clean && \