https://bugs.kde.org/show_bug.cgi?id=448803
Bug ID: 448803 Summary: flatpak backport is an outdated development version Product: neon Version: unspecified Platform: Other OS: Linux Status: REPORTED Severity: major Priority: NOR Component: Packages User Edition Assignee: neon-b...@kde.org Reporter: s...@debian.org CC: j...@jriddell.org, neon-b...@kde.org, sit...@kde.org Target Milestone: --- Neon appears to be shipping Flatpak 1.11.3, which was a development release and is unsupported by upstream. It is vulnerable to at least CVE-2021-41133, CVE-2021-43860 and CVE-2022-21682. (I am not a Neon user myself, I'm basing this on https://invent.kde.org/neon/backports-focal/flatpak and https://repology.org/project/flatpak/versions) If Flatpak is sufficiently important for Neon to be backporting it, please use the latest version from a stable branch and keep it up to date. Flatpak stable branches are versioned x.y.z where y is divisible by 2 (such as 1.12.z and 1.10.z). If Neon is based on Ubuntu LTS, you might find https://launchpad.net/~flatpak/+archive/ubuntu/stable useful: it contains semi-official backports of current Flatpak to various LTS branches of Ubuntu. The 1.11.z stable branch was a series of development releases leading to the 1.12.0 stable release, and will not receive any further releases. There is no upstream security support for old development branches. -- You are receiving this mail because: You are watching all bug changes.