-
flatpak (1.10.2-1ubuntu1.1) hirsute-security; urgency=medium
* SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
(LP: #1946578)
- debian/paches/CVE-2021-41133-1.patch
- debian/paches/CVE-2021-41133-2.patch
- debian/paches/CVE-2021-41133-3.patch
- debian/paches/CVE-2021-41133-4.patch
- debian/paches/CVE-2021-41133-5.patch
- debian/paches/CVE-2021-41133-6.patch
- debian/paches/CVE-2021-41133-7.patch
- debian/paches/CVE-2021-41133-8.patch
- debian/paches/CVE-2021-41133-9.patch
- debian/paches/CVE-2021-41133-10.patch
- CVE-2021-41133
-- Andrew Hayzen <email address hidden> Wed, 13 Oct 2021 00:36:35 +0100
-
flatpak (1.10.2-1ubuntu1) hirsute; urgency=medium
* debian/patches/0001-system-helper-Fix-deploys-of-local-remotes.patch:
Cherry pick a patch to fix the tests with new glib2.0.
For updates in remotes with a local (file:) uri we just do a deploy with a
LOCAL_PULL flag set and an empty arg_repo_path. However, our arg_repo_path
checking at some point seemed to stop properly handling the case where it
is empty. I got it to report "No such file" wich broke the tests.
-- Iain Lane <email address hidden> Thu, 08 Apr 2021 18:12:53 +0100
-
flatpak (1.10.2-1) unstable; urgency=medium
* New upstream stable release
- Make --filesystem, --nofilesystem accept non-ASCII filenames more
reliably
- Improve solution for #984859 so it refuses to install apps that
appear to be trying to exploit the vulnerability
- Fix a memory leak
- Improve compatibility with openSUSE's X authentication setup
- Use a single version of Docbook for all documentation
- This release also incorporates the fixes that were applied in
1.10.1-2 and 1.10.1-3, and part of 1.10.1-4
* Drop patches that were applied upstream
* d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
Mark the remaining patch as applied upstream for 1.11.0
* Add reference to #984859 in previous changelog entry
-- Simon McVittie <email address hidden> Wed, 10 Mar 2021 10:58:32 +0000
-
flatpak (1.10.1-4) unstable; urgency=high
* d/p/Disallow-and-u-usage-in-desktop-files.patch:
Add proposed patch to fix a sandbox escape via crafted .desktop
files (flatpak#4146). Thanks, Ryan Gonzalez
* d/p/tests-Remove-hard-coded-references-to-x86_64.patch:
Add proposed patch to fix some tests on non-x86_64 machines.
The affected tests were already skipped in schroot/lxc for other
reasons, but would be run (and fail) on autopkgtest testbeds with
isolation-machine and working FUSE.
-- Simon McVittie <email address hidden> Fri, 05 Mar 2021 10:21:35 +0000
-
flatpak (1.10.1-3ubuntu1) hirsute; urgency=medium
* Merge from Debian unstable. Remaining changes:
- Designate 'test-unused' test as flaky. It is new in this version, so
has never passed in autopkgtests on !amd64.
flatpak (1.10.1-3) unstable; urgency=medium
* Mark patch as applied upstream
* Add bugfixes from upstream flatpak-1.10.x branch
- Add extern "C" guards to header files, fixing compilation of C++ code
such as plasma-discover against GLib 2.67.x
- Fix memory leaks in the unit tests
-- Rik Mills <email address hidden> Fri, 26 Feb 2021 16:21:55 +0000
-
flatpak (1.10.1-2ubuntu2) hirsute; urgency=medium
* Designate 'test-unused' test as flaky. It is new in this version, so
has never passed in autopkgtests.
-- Rik Mills <email address hidden> Tue, 23 Feb 2021 20:48:19 +0000
-
flatpak (1.10.1-2ubuntu1) hirsute; urgency=medium
* Add patch from Fedora, backporting upstream commit fixing headers
after new glibc changes. Fixes at least plasma-discover FTBFS
against flatpak with new glibc.
- 0001-Add-G_BEGIN_DECLS-G_END_DECLS-to-public-headers.patch
-- Rik Mills <email address hidden> Tue, 23 Feb 2021 18:34:37 +0000
-
flatpak (1.10.1-2) unstable; urgency=medium
* d/patches: Disable FUSE-based revokefs if any of several factors fail.
This fixes FTBFS in pbuilder, and hopefully also on Launchpad
autobuilders.
-- Simon McVittie <email address hidden> Thu, 28 Jan 2021 22:24:20 +0000
-
flatpak (1.10.1-1) unstable; urgency=medium
* New upstream release
- Fix a regression in 'flatpak build' after fixing CVE-2021-21261
(Closes: #980323)
-- Simon McVittie <email address hidden> Thu, 21 Jan 2021 14:12:22 +0000
-
flatpak (1.10.0-2) unstable; urgency=medium
* Upload 1.10.x branch to unstable
* Add CVE-2021-21261 reference to 1.8.5-1 changelog entry
-- Simon McVittie <email address hidden> Sun, 17 Jan 2021 11:51:16 +0000
-
flatpak (1.8.5-1) unstable; urgency=high
* New upstream release fixing a sandbox escape vulnerability
(GHSA-4ppf-fxf6-vxg2)
* Mark patch for #975710 as having been applied upstream
-- Simon McVittie <email address hidden> Thu, 14 Jan 2021 09:34:09 +0000
-
flatpak (1.8.4-2) unstable; urgency=medium
* Mark patch for #972138 as having been applied upstream
* Add patch to avoid gvfs-daemon being started when logging in as root.
Thanks to Mourad De Clerck (Closes: #975710)
* Add package-specific info from bubblewrap to bug reports.
In particular, this will tell us whether it's setuid.
-- Simon McVittie <email address hidden> Sun, 03 Jan 2021 15:37:04 +0000
-
flatpak (1.8.4-1) unstable; urgency=medium
* debian/o.fd.Flatpak.pkla: sync with rules provided by upstream
* Use debian/unstable branch for packaging
* New upstream release
* d/p/variant-schema-compiler-Disable-optimized-calculation-of-.patch:
Drop patch, which should be unnecessary with the new version
-- Simon McVittie <email address hidden> Thu, 24 Dec 2020 10:58:59 +0000
-
flatpak (1.8.3-2) unstable; urgency=medium
* Preferentially build-depend on libgdk-pixbuf-2.0-dev.
We don't need the deprecated Xlib integration that is also pulled in
by the older libgdk-pixbuf2.0-dev package (see #974870).
* Standards-Version: 4.5.1 (no changes required)
-- Simon McVittie <email address hidden> Tue, 24 Nov 2020 12:01:18 +0000
-
flatpak (1.8.3-1) unstable; urgency=medium
* New upstream release
-- Simon McVittie <email address hidden> Thu, 19 Nov 2020 14:51:15 +0000
-
flatpak (1.8.2-3) unstable; urgency=medium
* d/p/Skip-parental-controls-checks-on-ServiceUnknown-or-NameHa.patch:
Add proposed patch to skip parental controls if accountsservice is not
installed.
The malcontent package (which activates parental controls support)
depends on accountsservice, but the libmalcontent-0-0 client library
does not, so we need to cope gracefully with the case where
neither malcontent nor accountsservice is installed. Presumably, in such
installations the sysadmin did not want the parental controls feature.
Ideally libmalcontent would do this itself (#972145). (Closes: #972138)
* Add Depends on dbus, for the well-known system bus service.
Now that the parental controls feature is enabled, Flatpak will refuse
to run apps if the D-Bus system bus is unavailable. Previously, it would
have partially worked (but with severely reduced functionality, in
particular only --user installations).
* d/control: Canonicalize case of Multi-Arch
* Update lintian overrides to silence some false-positives
-- Simon McVittie <email address hidden> Thu, 15 Oct 2020 09:47:28 +0100
-
flatpak (1.8.2-2) unstable; urgency=medium
[ Laurent Bigonville ]
* debian/control: Add libmalcontent-0-dev to the build-dependencies.
This provides optional parental controls for app installation and
launching.
[ Simon McVittie ]
* Add Suggests on malcontent-gui
-- Simon McVittie <email address hidden> Sat, 10 Oct 2020 20:10:55 +0100
-
flatpak (1.8.2-1) unstable; urgency=medium
* New upstream release
- Drop patch for #964541, applied upstream
-- Simon McVittie <email address hidden> Tue, 25 Aug 2020 15:57:31 +0100
