Change logs for flatpak source package in Focal

  • flatpak (1.6.5-0ubuntu0.4) focal-security; urgency=medium
    
      * SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
        (LP: #1946578)
        - debian/paches/CVE-2021-41133-1.patch
        - debian/paches/CVE-2021-41133-2.patch
        - debian/paches/CVE-2021-41133-3.patch
        - debian/paches/CVE-2021-41133-4.patch
        - debian/paches/CVE-2021-41133-5.patch
        - debian/paches/CVE-2021-41133-6.patch
        - debian/paches/CVE-2021-41133-7.patch
        - debian/paches/CVE-2021-41133-8.patch
        - debian/paches/CVE-2021-41133-9.patch
        - debian/paches/CVE-2021-41133-10.patch
        - CVE-2021-41133
    
     -- Andrew Hayzen <email address hidden>  Wed, 13 Oct 2021 00:36:35 +0100
  • flatpak (1.6.5-0ubuntu0.3) focal-security; urgency=medium
    
      * SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
        (LP: #1918482)
       - debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
         desktop files.
       - debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
         prefix.
       - debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
         .desktop files with suspicious uses.
       - CVE-2021-21381
    
     -- Andrew Hayzen <email address hidden>  Fri, 05 Mar 2021 22:21:25 +0000
  • flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium
    
      * SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
        - debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
          of "ok" helper.
        - debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
          G_DBUS_METHOD_INVOCATION_HANDLED.
        - debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
          variables into bwrap arguments.
        - debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
          environment variable overrides.
        - debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
        - debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
          extra-args into --env-fd.
        - debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
        - debian/patches/CVE-2021-21261-8.patch: portal: Do not use
          caller-supplied variables in environment.
        - debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
          not go in `flatpak run` or bwrap environ.
        - CVE-2021-21261
    
     -- Andrew Hayzen <email address hidden>  Wed, 13 Jan 2021 21:09:15 +0000
  • flatpak (1.6.5-0ubuntu0.1) focal; urgency=medium
    
      * New upstream release 1.6.5 (LP: #1884594)
        - Backports some of the OCI authenticator fixes from the 1.7 series
        - Fix a use-after free in libflatpak
        - Don't list p2p downgrades in list of available updates
        - Install gdm env.d fragment, but only as an example file.
          It is harmful on systems where environment.d(5) works (in particular
          systems using systemd), because it overwrites additions to the
          XDG_DATA_DIRS coming from other app frameworks like Snap.
          However, using either this fragment or manual configuration might
          be necessary on non-systemd systems. See
          /usr/share/doc/flatpak/README.Debian for more details. (LP: #1801814)
        - debian/flatpak.README.Debian: Add
    
     -- Andrew Hayzen <email address hidden>  Wed, 08 Jul 2020 00:34:35 +0000
  • flatpak (1.6.3-1) unstable; urgency=medium
    
      * New upstream stable release
    
     -- Simon McVittie <email address hidden>  Tue, 31 Mar 2020 11:56:06 +0100
  • flatpak (1.6.2-1) unstable; urgency=medium
    
      * New upstream stable release
    
     -- Simon McVittie <email address hidden>  Thu, 13 Feb 2020 16:42:14 +0000
  • flatpak (1.6.1-1) unstable; urgency=medium
    
      * New upstream stable release
      * Use secure URI in Homepage field.
      * Set upstream metadata fields: Repository.
      * Remove obsolete field Name from debian/upstream/metadata (already
        present in machine-readable debian/copyright).
      * Standards-Version: 4.5.0 (no changes required)
    
     -- Simon McVittie <email address hidden>  Thu, 23 Jan 2020 17:53:52 +0000
  • flatpak (1.6.0-1) unstable; urgency=medium
    
      * New upstream stable release
        - d/p/testlibrary-Don-t-assert-that-progress-is-signalled.patch:
          Drop workaround, the leaks that broke this test have been fixed
        - Drop other patches, applied upstream
        - Bump xdg-desktop-portal dependency to 1.6.x.
          That version has new API which Flatpak apps might rely on, so the
          corresponding versions should be tested and backported together.
      * d/watch: Only watch for stable releases
      * Set upstream branch to upstream/1.6.x
      * Drop xdg-desktop-portal from Depends to Recommends.
        Installing xdg-desktop-portal 1.6.x is strongly recommended, but
        strictly speaking it is not required: some of the simpler Flatpak
        apps can work without it. (Closes: #947022)
      * tests: Depend on fuse and policykit-1
      * Revert Build-Conflicts on elogind to be nice to non-systemd derivatives.
        This was a workaround for the build-dependency resolver used in
        experimental, and is unnecessary now that I'm targeting unstable.
    
     -- Simon McVittie <email address hidden>  Tue, 24 Dec 2019 16:11:00 +0000
  • flatpak (1.4.3-1) unstable; urgency=medium
    
      * New upstream stable release
        - d/p/Don-t-register-polkit-agent-if-we-cannot-connect-to-syste.patch,
          d/p/tests-Skip-tests-that-use-system-helper-if-uid-or-gid-is-.patch:
          drop patches, applied upstream
      * Remove redundant --libexecdir, no longer needed with compat level 12
    
     -- Simon McVittie <email address hidden>  Thu, 19 Sep 2019 16:13:57 +0100