https://bugs.kde.org/show_bug.cgi?id=448803
Bug ID: 448803
Summary: flatpak backport is an outdated development version
Product: neon
Version: unspecified
Platform: Other
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: Packages User Edition
Assignee: neon-b...@kde.org
Reporter: s...@debian.org
CC: j...@jriddell.org, neon-b...@kde.org, sit...@kde.org
Target Milestone: ---
Neon appears to be shipping Flatpak 1.11.3, which was a development release and
is unsupported by upstream. It is vulnerable to at least CVE-2021-41133,
CVE-2021-43860 and CVE-2022-21682.
(I am not a Neon user myself, I'm basing this on
https://invent.kde.org/neon/backports-focal/flatpak and
https://repology.org/project/flatpak/versions)
If Flatpak is sufficiently important for Neon to be backporting it, please use
the latest version from a stable branch and keep it up to date. Flatpak stable
branches are versioned x.y.z where y is divisible by 2 (such as 1.12.z and
1.10.z).
If Neon is based on Ubuntu LTS, you might find
https://launchpad.net/~flatpak/+archive/ubuntu/stable useful: it contains
semi-official backports of current Flatpak to various LTS branches of Ubuntu.
The 1.11.z stable branch was a series of development releases leading to the
1.12.0 stable release, and will not receive any further releases. There is no
upstream security support for old development branches.
--
You are receiving this mail because:
You are watching all bug changes.
