-
flatpak (1.0.9-0ubuntu0.4) bionic-security; urgency=medium
* SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
(LP: #1946578)
- debian/paches/CVE-2021-41133-1.patch
- debian/paches/CVE-2021-41133-2.patch
- debian/paches/CVE-2021-41133-3.patch
- debian/paches/CVE-2021-41133-4.patch
- debian/paches/CVE-2021-41133-5.patch
- debian/paches/CVE-2021-41133-6.patch
- debian/paches/CVE-2021-41133-7.patch
- debian/paches/CVE-2021-41133-8.patch
- debian/paches/CVE-2021-41133-9.patch
- debian/paches/CVE-2021-41133-10.patch
- CVE-2021-41133
-- Andrew Hayzen <email address hidden> Wed, 13 Oct 2021 00:36:35 +0100
-
flatpak (1.0.9-0ubuntu0.3) bionic-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
(LP: #1918482)
- debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
desktop files.
- debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
prefix.
- debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
.desktop files with suspicious uses.
- CVE-2021-21381
-- Andrew Hayzen <email address hidden> Wed, 10 Mar 2021 20:51:04 +0000
-
flatpak (1.0.9-0ubuntu0.2) bionic-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: run: Convert all environment
variables into bwrap arguments.
- debian/patches/CVE-2021-21261-2.patch: common: Move
flatpak_buffer_to_sealed_memfd_or_tmpfile to its own file.
- debian/patches/CVE-2021-21261-3.patch: context: Add --env-fd option.
- debian/patches/CVE-2021-21261-4.patch: portal: Convert --env in
extra-args into --env-fd.
- debian/patches/CVE-2021-21261-5.patch: portal: Do not use caller-supplied
variables in environment.
- CVE-2021-21261
-- Paulo Flabiano Smorigo <email address hidden> Tue, 19 Jan 2021 14:21:40 +0000
-
flatpak (1.0.9-0ubuntu0.1) bionic; urgency=medium
* Update to 1.0.9 (LP: #1844666)
* New upstream release
- Allow use of extra_data for runtimes, this is required for the
openh264 extension.
-- Andrew Hayzen <email address hidden> Sat, 21 Sep 2019 21:30:00 +0000
-
flatpak (1.0.8-0ubuntu0.18.04.1) bionic-security; urgency=medium
* Update to 1.0.8 (LP: #1821811)
* New upstream release
- SECURITY UPDATE: seccomp: Reject all ioctls that the kernel will
interpret as TIOCSTI, including those where the high 32 bits in
a 64-bit word are nonzero.
- CVE-2019-10063
-- Andrew Hayzen <email address hidden> Wed, 27 Mar 2019 21:21:48 +0000
-
flatpak (1.0.7-0ubuntu0.18.04.1) bionic-security; urgency=medium
* Update to 1.0.7 (LP: #1815528)
* New upstream release
- SECURITY UPDATE: do not let the apply_extra script for a system
installation modify the host-side executable via /proc/self/exe,
similar to CVE-2019-5736 in runc
- CVE-2019-8308
-- Andrew Hayzen <email address hidden> Wed, 13 Feb 2019 21:24:42 +0000
-
flatpak (1.0.6-0ubuntu0.1) bionic; urgency=medium
[ Andrew Hayzen ]
* Update to 1.0.6 (LP: #1806220)
[ Ondřej Nový ]
* debian/tests: Use AUTOPKGTEST_TMP instead of ADTTMP
[ Simon McVittie ]
* New upstream release
- Avoid apply_extra scripts being able to create non-canonical
permissions such as setuid
* debian/watch: Only watch for stable-branch versions
* debian/tests/control: Mark build test as superficial (see #904979)
* debian/patches/debian/patches/test-webserver-Fix-race-condition.patch:
Drop patch, applied upstream
* Install upstream NEWS and README.md into flatpak and libflatpak-doc
* debian/libflatpak0.symbols: Update
* debian/flatpak-tests.lintian-overrides: Silence some
package-contains-documentation-outside-usr-share-doc false positives
* debian/patches/debian/patches/test-webserver-Fix-race-condition.patch:
Mark as forwarded
* debian/libflatpak0.symbols: Update
-- Andrew Hayzen <email address hidden> Fri, 30 Nov 2018 01:01:39 +0000
-
flatpak (1.0.1-0ubuntu0.1) bionic; urgency=medium
* Update to 1.0.1 (LP: #1787917)
* New upstream stable release
- Update symbols file for new ABI
- Bump ostree (build)dependencies to 2018.7
- Install new flatpak-coredumpctl script as an example
- Install zsh completion functions
- debian/copyright: Update
- debian/control: Update bubblewrap and ostree dependencies
- debian/control: Depend on python3 for build-time tests
- debian/control: flatpak Recommends p11-kit, for p11-kit-server
* debian/test.sh: Output test logs in the build log, even on success
* Remove --disable-document-portal, no longer necessary since 0.11.0
* Version the ostree command-line tool dependency for the tests.
* debian/tests/gnome-desktop-testing: Enable full test coverage on machines
where the login name is "user" and the hostname is "host"
* debian/tests: Mark OCI tests as flaky for now, since hangs do not appear
to have been completely addressed
* debian/patches/test-webserver-Fix-race-condition.patch:
Fix a race condition in test setup
* debian/patches/debian/Use-Python-3-for-test-web-server.patch:
Rebase and expand to cover more test code
-- Andrew Hayzen <email address hidden> Sun, 02 Sep 2018 00:12:41 +0100
-
flatpak (0.11.7-0ubuntu0.1) bionic-proposed; urgency=medium
* Update to 0.11.7 (LP: #1767215)
* New upstream release
- Drop patches that were applied upstream
- d/copyright: Update
- Build-depend on bison
- Add new flatpak-portal to flatpak.deb
- Update symbols file for new ABI
* Standards-Version: 4.1.4 (no changes required)
-- Andrew Hayzen <email address hidden> Thu, 03 May 2018 22:19:31 +0100
-
flatpak (0.11.3-3) unstable; urgency=medium
* Add Recommends: policykit-1. This is required when installing apps and
runtimes system-wide, which is the default for the CLI, but is not
required when installing into your own home directory with
"flatpak --user install...". (Closes: #892583)
-- Simon McVittie <email address hidden> Sun, 11 Mar 2018 16:00:02 +0000
-
flatpak (0.11.3-2) unstable; urgency=medium
* Merge from experimental to unstable
* d/p/Update-*-translation.patch: Update Czech and Indonesian
translations from upstream
* d/p/Fix-assertion-when-no-gsettings-schema-installed.patch:
Add patch from upstream fixing an assertion failure if no
GSettings schemas are installed
-- Simon McVittie <email address hidden> Thu, 01 Mar 2018 09:21:46 +0000
-
flatpak (0.11.3-1) experimental; urgency=medium
* New upstream release
- d/p/Remove-unused-FUSE-build-dependency.patch:
Drop, applied upstream
-- Simon McVittie <email address hidden> Mon, 19 Feb 2018 15:18:05 +0000
-
flatpak (0.11.1-0ubuntu1) bionic; urgency=medium
* New upstream release
- Remove document portal and permission store
- Add --socket=fallback-x11 permission
- Fix dbus proxy vulnerability in authentication phase
- Allow personality syscall in devel mode
- commit-from: Migrate static deltas with commit
- Add "network" storage type for installations
- Add flatpak info --show-permissions
- Add flatpak info --file-access
- search: Update appstream (if stale) before searching
- Make libflatpak work when /var/lib/flatpak is empty
- build-bundle: Add --from-commit option
- Allow appstream ids that don't end in .desktop
- Make permission handling ignore unknown permissions for forwards
compatibility
- Removed incorrect error message in update --appdata when there
was no updates
- Fix handling of abort in the duplicate remote prompt
- Fix division by zero in progress calculation
- Fix flatpak remote-info --show-metadata
- Fixed crash when installing some flatpak bundle files
- Fix installation of telegram
- remote-ls -u only considers app from the origin remote
- Fix assertion error in extra-data progress reporting
- Report nicer errors when trying to downgrade as non-root
- pulseaudio: Try to find pulseaudio socket better
- Fixed some warnings reported by coverity
- Cleaned up code by splitting up some large source files
* debian/flatpak.install
- Removed files that are now provided by the xdg-desktop-portal package
-- Ken VanDine <email address hidden> Wed, 14 Feb 2018 08:29:14 -0500
-
flatpak (0.10.3-1) unstable; urgency=medium
* New upstream bugfix release
- Fixes a D-Bus filtering bypass in flatpak-dbus-proxy
(Closes: #888842)
-- Simon McVittie <email address hidden> Tue, 30 Jan 2018 14:38:24 +0000
-
flatpak (0.10.2.1-2) unstable; urgency=medium
* Move Vcs-* to salsa.debian.org
* Standards-Version: 4.1.3 (no changes required)
* d/control, d/tests/control,
d/p/debian/Use-Python-3-for-test-web-server.patch:
Use Python 3 for tests
-- Simon McVittie <email address hidden> Wed, 17 Jan 2018 20:55:34 +0000
-
flatpak (0.10.2.1-1) unstable; urgency=medium
* New upstream release
-- Simon McVittie <email address hidden> Thu, 21 Dec 2017 14:00:52 +0000
-
flatpak (0.10.2-1) unstable; urgency=medium
* New upstream release
- d/control: Be specific about the appstream-glib dependency,
which is newer than oldstable
- d/control: Update build-dependency on ostree to 2017.14
* Standards-Version: 4.1.2 (no changes required)
-- Simon McVittie <email address hidden> Fri, 15 Dec 2017 15:26:30 +0000
-
flatpak (0.10.1-1) unstable; urgency=medium
* New upstream release
- d/copyright: Update
- d/control: Add build-dependency on appstream-glib
* d/autogen.sh: Run gtkdocize --copy. Plain gtkdocize replaces
gtk-doc.make with a symlink, which dh_autoreconf_clean won't remove,
breaking the ability to build twice in a row from the same directory.
(See #881915)
-- Simon McVittie <email address hidden> Mon, 27 Nov 2017 09:21:56 +0000
-
flatpak (0.10.0-2) unstable; urgency=medium
* Version the dh-exec build-dependency to (>= 0.23~).
The version in oldstable doesn't support build profiles. Strictly
speaking 0.15 might be enough, but I'm not going to test with anything
older than oldstable-backports.
* d/tests/gnome-desktop-testing: Clear proxy-related environment
variables, as was previously done for ostree. These are set on
Ubuntu's infrastructure to allow accessing the Internet (which we
don't need), at the cost of breaking access to 127.0.0.1 (which we
do need) for anything that doesn't respect $no_proxy (in
particular libostree). (Closes: #880043)
* d/control: Set Rules-Requires-Root to no
- d/control: Build-depend on gobject-introspection 1.54.1-2 for a
fixed dh_girepository to make this work (#880095)
-- Simon McVittie <email address hidden> Sun, 05 Nov 2017 14:06:00 +0000
-
flatpak (0.10.0-1) unstable; urgency=medium
* d/watch: Track stable-branches (x.y.z where y is even), and fix to
cope with multi-digit minor versions
* New upstream stable release
- Update symbols file
* Disable gtk-doc if we are not going to build libflatpak-doc,
in particular for architecture-specific builds. Note that it remains
in Build-Depends (not Build-Depends-Indep) because it is also needed
for gtkdocize during dh_autoreconf.
* Do not force --disable-silent-rules, debhelper does this now
* Install gtk-doc documentation to the standard /usr/share/gtk-doc,
with a symbolic link in /usr/share/doc, instead of the other way
round. The gtk-doc documentation is functionally significant (it
affects cross-reference generation during build of other packages)
so according to Policy §12.3 it is not appropriate for
/usr/share/doc.
- Install dpkg-maintscript-helper fragments for this migration
* Disable documentation generation under nodoc DEB_BUILD_OPTIONS
* Disable libflatpak-doc under nodoc build profile
* Don't run build-time tests if building only Arch: all packages
-- Simon McVittie <email address hidden> Thu, 26 Oct 2017 12:35:52 +0100
-
flatpak (0.8.7-5) unstable; urgency=medium
* d/p/tests-Isolate-tests-from-real-home-directory-more-thoroug.patch:
Mark as upstreamed for 0.9.8, and move to d/p/0.9.8/ directory
* d/p/Improve-test-diagnostics.patch: Add patch to improve test
diagnostics (see #870312)
* Standards-Version: 4.0.1 (no changes required)
* d/p/testlibrary-Skip-tests-that-need-extended-attributes-if-n.patch:
Add patch to skip tests that need extended attributes if /var/tmp
does not support them (Closes: #870312)
-- Simon McVittie <email address hidden> Thu, 31 Aug 2017 11:33:05 +0100
