-
flatpak (1.6.5-0ubuntu0.4) focal-security; urgency=medium
* SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
(LP: #1946578)
- debian/paches/CVE-2021-41133-1.patch
- debian/paches/CVE-2021-41133-2.patch
- debian/paches/CVE-2021-41133-3.patch
- debian/paches/CVE-2021-41133-4.patch
- debian/paches/CVE-2021-41133-5.patch
- debian/paches/CVE-2021-41133-6.patch
- debian/paches/CVE-2021-41133-7.patch
- debian/paches/CVE-2021-41133-8.patch
- debian/paches/CVE-2021-41133-9.patch
- debian/paches/CVE-2021-41133-10.patch
- CVE-2021-41133
-- Andrew Hayzen <email address hidden> Wed, 13 Oct 2021 00:36:35 +0100
-
flatpak (1.6.5-0ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
(LP: #1918482)
- debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
desktop files.
- debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
prefix.
- debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
.desktop files with suspicious uses.
- CVE-2021-21381
-- Andrew Hayzen <email address hidden> Fri, 05 Mar 2021 22:21:25 +0000
-
flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
of "ok" helper.
- debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
G_DBUS_METHOD_INVOCATION_HANDLED.
- debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
variables into bwrap arguments.
- debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
environment variable overrides.
- debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
- debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
extra-args into --env-fd.
- debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
- debian/patches/CVE-2021-21261-8.patch: portal: Do not use
caller-supplied variables in environment.
- debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
not go in `flatpak run` or bwrap environ.
- CVE-2021-21261
-- Andrew Hayzen <email address hidden> Wed, 13 Jan 2021 21:09:15 +0000
-
flatpak (1.6.5-0ubuntu0.1) focal; urgency=medium
* New upstream release 1.6.5 (LP: #1884594)
- Backports some of the OCI authenticator fixes from the 1.7 series
- Fix a use-after free in libflatpak
- Don't list p2p downgrades in list of available updates
- Install gdm env.d fragment, but only as an example file.
It is harmful on systems where environment.d(5) works (in particular
systems using systemd), because it overwrites additions to the
XDG_DATA_DIRS coming from other app frameworks like Snap.
However, using either this fragment or manual configuration might
be necessary on non-systemd systems. See
/usr/share/doc/flatpak/README.Debian for more details. (LP: #1801814)
- debian/flatpak.README.Debian: Add
-- Andrew Hayzen <email address hidden> Wed, 08 Jul 2020 00:34:35 +0000
-
flatpak (1.6.3-1) unstable; urgency=medium
* New upstream stable release
-- Simon McVittie <email address hidden> Tue, 31 Mar 2020 11:56:06 +0100
-
flatpak (1.6.2-1) unstable; urgency=medium
* New upstream stable release
-- Simon McVittie <email address hidden> Thu, 13 Feb 2020 16:42:14 +0000
-
flatpak (1.6.1-1) unstable; urgency=medium
* New upstream stable release
* Use secure URI in Homepage field.
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
-- Simon McVittie <email address hidden> Thu, 23 Jan 2020 17:53:52 +0000
-
flatpak (1.6.0-1) unstable; urgency=medium
* New upstream stable release
- d/p/testlibrary-Don-t-assert-that-progress-is-signalled.patch:
Drop workaround, the leaks that broke this test have been fixed
- Drop other patches, applied upstream
- Bump xdg-desktop-portal dependency to 1.6.x.
That version has new API which Flatpak apps might rely on, so the
corresponding versions should be tested and backported together.
* d/watch: Only watch for stable releases
* Set upstream branch to upstream/1.6.x
* Drop xdg-desktop-portal from Depends to Recommends.
Installing xdg-desktop-portal 1.6.x is strongly recommended, but
strictly speaking it is not required: some of the simpler Flatpak
apps can work without it. (Closes: #947022)
* tests: Depend on fuse and policykit-1
* Revert Build-Conflicts on elogind to be nice to non-systemd derivatives.
This was a workaround for the build-dependency resolver used in
experimental, and is unnecessary now that I'm targeting unstable.
-- Simon McVittie <email address hidden> Tue, 24 Dec 2019 16:11:00 +0000
-
flatpak (1.4.3-1) unstable; urgency=medium
* New upstream stable release
- d/p/Don-t-register-polkit-agent-if-we-cannot-connect-to-syste.patch,
d/p/tests-Skip-tests-that-use-system-helper-if-uid-or-gid-is-.patch:
drop patches, applied upstream
* Remove redundant --libexecdir, no longer needed with compat level 12
-- Simon McVittie <email address hidden> Thu, 19 Sep 2019 16:13:57 +0100