-
bubblewrap (0.1.7-1) unstable; urgency=medium
* New upstream release
- effectively the same as 0.1.6-2
- drop all patches
-- Simon McVittie <email address hidden> Thu, 19 Jan 2017 14:33:46 +0000
-
bubblewrap (0.1.6-2) unstable; urgency=medium
* d/p/Make-the-call-to-setsid-optional-with-new-session.patch:
Add patch from upstream to make the setsid() that addresses
CVE-2017-5226 optional, because it breaks interactive shells.
Users of bubblewrap to confine untrusted programs should either
add --new-session to the bwrap command line, or prevent the
TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
- d/control: add Breaks on versions of Flatpak that did not
load the necessary seccomp filter to prevent CVE-2017-5226
* d/p/demos-bubblewrap-shell.sh-Unshare-all-namespaces.patch:
Add patch from upstream to improve example code
* d/p/Call-setsid-and-setexeccon-befor-forking-the-init-monitor.patch,
d/p/Install-seccomp-filter-at-the-very-end.patch:
Add patches from upstream to re-order initialization. This means
the seccomp filter is no longer required to account for syscalls that
are made by bwrap itself.
* d/p/Add-unshare-all-and-share-net.patch:
Add patch from upstream introducing new command line options
--unshare-all and --share-net, for a more whitelist-based approach
to sharing namespaces with the parent.
-- Simon McVittie <email address hidden> Wed, 18 Jan 2017 00:56:19 +0000
-
bubblewrap (0.1.6-1) unstable; urgency=medium
* New upstream release
- drop the only patch, applied upstream
* debian/patches: update to upstream master for additional fixes
to SIGCHLD handling and documentation, and improved hardening
against being able to obtain capabilities
* debian/bubblewrap.examples: install upstream examples
-- Simon McVittie <email address hidden> Sat, 14 Jan 2017 22:18:09 +0000
-
bubblewrap (0.1.5-2) unstable; urgency=high
* d/p/Call-setsid-before-executing-sandboxed-code-CVE-2017-5226.patch:
Call setsid() before executing sandboxed code, preventing a
sandboxed executable invoked with a controlling terminal (for
example in Flatpak) from escalating its privileges by injecting
keypresses into the controlling terminal with the TIOCSTI
ioctl. (Closes: #850702; CVE-2017-5226)
* d/control: remove Maintainer status from Laszlo Boszormenyi at his
request. Add him to Uploaders instead, and hand the package over
to the Utopia Maintenance Team (the same as OSTree and Flatpak).
-- Simon McVittie <email address hidden> Mon, 09 Jan 2017 18:09:54 +0000
-
bubblewrap (0.1.5-1) unstable; urgency=medium
* New upstream release
- drop all patches, applied upstream
- debian/copyright: update for build system additions
-- Simon McVittie <email address hidden> Tue, 20 Dec 2016 11:25:23 +0000
-
bubblewrap (0.1.4-2) unstable; urgency=medium
* d/tests/*: only run tests on a real or virtual machine, not in a
container. bubblewrap is effectively already a container, and
nesting containers doesn't work particularly well.
Unfortunately this means the tests won't work on ci.debian.net,
which uses LXC.
-- Simon McVittie <email address hidden> Thu, 01 Dec 2016 12:42:33 +0000
-
bubblewrap (0.1.4-1) unstable; urgency=medium
* New upstream release
* d/p/test-run-be-a-bash-script.patch,
d/p/test-run-don-t-assume-we-are-uid-1000.patch,
d/p/Adapt-tests-so-they-can-be-run-against-installed-binaries.patch,
d/p/Fix-incorrect-nesting-of-backticks-when-finding-a-FUSE-mo.patch:
improve the upstream tests
* d/tests/upstream: run the upstream tests as autopkgtests
* d/rules: Do not enable setuid mode at configure time. If we do, we
can't run the build-time tests, and it no longer makes any difference
to the actual code. Make the executable setuid via Debian packaging
instead.
-- Simon McVittie <email address hidden> Tue, 29 Nov 2016 12:55:31 +0000
-
bubblewrap (0.1.3-1) unstable; urgency=medium
* New upstream release
- bring back --set-hostname, the upstream fix for CVE-2016-8659
makes it no longer a vulnerability
-- Simon McVittie <email address hidden> Sun, 16 Oct 2016 14:32:11 +0100
-
bubblewrap (0.1.2-1) unstable; urgency=medium
* New upstream release
-- Simon McVittie <email address hidden> Fri, 09 Sep 2016 09:22:57 +0100
