-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 14 Aug 2024 18:20:19 BST Source: flatpak Architecture: source Version: 1.14.10-1~deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Utopia Maintenance Team Changed-By: Simon McVittie Changes: flatpak (1.14.10-1~deb12u1) bookworm-security; urgency=high . * Backport upstream stable release into Debian 12 (CVE-2024-42472) * d/control: Relax required bubblewrap version to 0.8.0-2+deb12u1. This version has a backport of the required --bind-fd option. * Other changes relative to 1.14.10-1 in unstable: - Revert polkitd dependencies to polkitd | policykit-1 as previously used in bookworm - Revert pkgconf dependencies to pkg-config as previously used in bookworm - Revert location of systemd unit to /lib/systemd/system as previously used in bookworm, dropping versioned dependency on debhelper 13.11.6~ - Revert changes related to Debian 13 GIR XML packaging policy . flatpak (1.14.10-1) unstable; urgency=high . * New upstream stable release - Don't follow symbolic links when mounting persistent directories (--persist option). This prevents a sandbox escape where a malicious or compromised app could edit the symlink to point to a directory that the app should not have been allowed to read or write. (CVE-2024-42472, GHSA-7hgv-f2j8-xw87) * d/control: Bump required bubblewrap version to 0.10.0. This adds the new --bind-fd option, required to solve CVE-2024-42472 without introducing a race condition. Checksums-Sha256: 09062fc52e7f89249a20a48d0e3267bd281182f7eea990744d371e342d2d4eaf 3884 flatpak_1.14.10-1~deb12u1.dsc 873ae87d367557190e159c6f281ce82acc512f38743ca284e8785f89293add11 36600 flatpak_1.14.10-1~deb12u1.debian.tar.xz 816fc85be5a6ce224077c8a08a2278852ae96cf690e98b1e62dcb862639feb73 12323 flatpak_1.14.10-1~deb12u1_source.buildinfo 6bbdc7908127350ad85a4a47d70292ca2f4c46e977b32b1fd231c2a719d821cd 1647100 flatpak_1.14.10.orig.tar.xz 86f596ae816c77b6ee2789df177cc194d0a86d5ebd127d2a5c5cf99a627641ca 833 flatpak_1.14.10.orig.tar.xz.asc Checksums-Sha1: 618e4d802633d3dd0d10dbb79d8fcf076eca41f0 3884 flatpak_1.14.10-1~deb12u1.dsc 0b0d0178c024823562ad3364add86fb13156d943 36600 flatpak_1.14.10-1~deb12u1.debian.tar.xz d9b515872c436d0e33a489037d57dfd0d3aba07a 12323 flatpak_1.14.10-1~deb12u1_source.buildinfo 29eda29e492f82aeeb3b670a89d7636267e35cf0 1647100 flatpak_1.14.10.orig.tar.xz 52fcc6407ed227ae632db6625398800d175de844 833 flatpak_1.14.10.orig.tar.xz.asc Files: 46b68872d0323d2cb46a5b0b0cf60f1b 3884 admin optional flatpak_1.14.10-1~deb12u1.dsc 31b70edb805de5f4796e2d8a7d4e886e 36600 admin optional flatpak_1.14.10-1~deb12u1.debian.tar.xz ab74924d680ec951d587d58cc7285fc9 12323 admin optional flatpak_1.14.10-1~deb12u1_source.buildinfo 4eb3f96ab7a73b01b408e5bb15630106 1647100 admin optional flatpak_1.14.10.orig.tar.xz 067ee69526edc3294dcfb3d43fd99de6 833 admin optional flatpak_1.14.10.orig.tar.xz.asc -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAma851kACgkQ4FrhR4+B TE8aexAAqKMSa7ccMGT9RPqvNgh8ruZ8ZQ4lLGTittl8nIchu0EQzEKqCYZOHpXO IoZKJ0yP7hYq2r1LWyoS/nazpuzwECk6vXnznVMGloaJ9JHnH+VBinIhG/YLiWBH 2uMnLU/lMx0gM823SEfnLqUqEP1GPp8HgkJOozbWcHIFZJGeFkOh06kZpjDNrg7r +yYGuTCnNzGdaeXUPw9DzFi24tHqXHapgM+pCyOhQbv9bydaMw/4Bg2HqbWGvyH1 HhUPwWqBw9lCJD97qRnabrtaaIHRO4cgkZhjQu+vyPcP1QRkoXPrQDHtld0eUiJm JtXadkM9Jkgft6gtGFHowFZFH878LW7YNQb/IqzkHrZCmp6UsU0v9zhwGHGW9eMY SRrMUYEwar/pi6qqGJA6w2vkCcFN7Yw6z9UZeS14QaND1eLOPYNNLEpo3jrfgLEW hEo/nBNHfC17gBiLiteZ+CwesXFAUJtyp/Ez8VSXLQSIscxqSufjTva5FlGvUTjG //4ttH8iYZj9SYnV9GpR3IakSLThS/EZRPR8ARFKBPYFxVyE1W6t4bGX8NMbIIol TaqC+LLVLjq4AHgWQz1BYGsod0mfUFfv5v9yrndsKSMf5x3AHrCyBelcFiV7LdGT s1nRHUDmcpfp5MhmqcXOii6QDB0wtc5qc0yKWi9+ocA6ybVtqYo= =RLB1 -----END PGP SIGNATURE-----