-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Oct 2021 14:14:51 +0100
Source: flatpak
Architecture: source
Version: 1.10.5-0+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Utopia Maintenance Team
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Closes: 995935
Changes:
flatpak (1.10.5-0+deb11u1) bullseye-security; urgency=medium
.
* New upstream stable release 1.10.4
- Don't allow VFS manipulation which could be used to trick portals
into allowing unintended access to host
(Closes: #995935, CVE-2021-41133, GHSA-67h7-w3jq-vh4q)
- Fix parental controls check when installing system-wide as non-root
- OCI now uses the pax tar format, which handles large files better
than GNU tar
- tests: Fix test-sideload.sh if ostree is built with curl backend
(this change is unnecessary but harmless in the configuration used
in Debian)
* New upstream stable release 1.10.5
- Fix regressions in 1.12.0 with extra data or --allow=multiarch.
This only partially prevents use of VFS-manipulating syscalls if a
newer kernel is used with an older libseccomp, but that's the best
we will be able to achieve without new features in libseccomp and/or
bubblewrap.
* d/control: Build-depend on libseccomp 2.5.0.
This ensures that we can block creation of new user namespaces via
clone3(), which should be enough to prevent CVE-2021-41133 on
at least Debian 11 kernels (Linux 5.10). It also allows blocking most
of the syscalls we want to block; we cannot guarantee to be able to
block mount_setattr(), which was only added in libseccomp 2.5.2, but
that syscall was new in Linux 5.12.
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Fix error handling for syscalls that are only allowed with --devel
Checksums-Sha1:
e7f2bee4e6473a0a578dfd271bdf3f94a0902218 3564 flatpak_1.10.5-0+deb11u1.dsc
d4d771e7bfa4ab275845cf7259f9b25784ccc095 1511032 flatpak_1.10.5.orig.tar.xz
94e3430c6e2edaa234ccffaea8725d69dbdf7a00 32220
flatpak_1.10.5-0+deb11u1.debian.tar.xz
9ded37befe39de693234854d4f40fc4d58de621c 11684
flatpak_1.10.5-0+deb11u1_source.buildinfo
Checksums-Sha256:
b6c0d181992d5f9abfe310a1d42a671dde6fe6ceedc04dbb5e9ff957f018d949 3564
flatpak_1.10.5-0+deb11u1.dsc
3ac884b99063cc78e65de94fe015b4146624f3ab8b9f2f84e4017d508af4223b 1511032
flatpak_1.10.5.orig.tar.xz
6d9e3024a986d6ed947046b55e4772da17d6fc084bc0093c27f47cb947e4d6b7 32220
flatpak_1.10.5-0+deb11u1.debian.tar.xz
9edf8ed97879f6f89c2746f13bf615ff3b4b6c75e6b1dac1826f846b438178d7 11684
flatpak_1.10.5-0+deb11u1_source.buildinfo
Files:
4977ad06425adbb483e1322b82dcda05 3564 admin optional
flatpak_1.10.5-0+deb11u1.dsc
aeff8d90a58ed50271cae6ac2aff7600 1511032 admin optional
flatpak_1.10.5.orig.tar.xz
5d3d53c4dff95cc32100c31033fd9008 32220 admin optional
flatpak_1.10.5-0+deb11u1.debian.tar.xz
12423e0c7731d3e75cfc9ee782b82767 11684 admin optional
flatpak_1.10.5-0+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmFlaDQACgkQ4FrhR4+B
TE/GMA/+P/dGKD0dTkqcxglhb5KmOYCXVR5KujLS3deAvyv6Qp3uthIiPi7/yqy/
EMLP6LQIMXLWzVdoeO1PMC5PnGEa65gcGoQ9vh1FeER64tHUncyvywTrcRibVOme
2z7K/uRTeYEy6/dPrv9pC1zQLI4Kny00vzOymXDuUDb+tIHGiRzU4bDcMbORygSN
59vIvpM6VA1PlEJKBE8vn9wQvtaeiB/IW98jP8tBtlqN2allcaU9VCW2YyCZhhHj
L18/+sDxsW2xrYaLAiLFd7Fubc2f5JO4/+xmNnfOQFOQY4TyRTD3wtsoju35hvKm
+Qw5eC3ee0wiQlMoi2OGMhveR6krybNFXyQafwCh7EIVL2vVMtH/R7gwsmpU17Am
AuvQLNuBJ5e9QH+tms+RHWm8823E6k+8jC98QK2+OJ7sLhJKutuGdkKgCRaRDe3G
Ir1yOzQood3u9jUferoBnSiI2x8c7i6YdHlskLcEOyzXxJbAThsWQ3MBtqGPXMnW
LaWrAjSFtTWsP5ik7LS8LWgti1osDsFoW5eHRIFU6HLWaypntvtSPv2hcD0pk7Tx
KYOGuDqIDR38EHrj6XOPpDV8fdagzCWm0pqHz3DaVcAVKjivJD9+z6e36KJlVUuT
ZC1C+HMeQ/uPON6zWmg9B12/RpIyLJdXQ0v+RtDUjG8TB72WcHg=
=2IK7
-----END PGP SIGNATURE-----
