@alexmurray, hey, I believe that commit was reverted later as it caused
a behavioural regression? The Github advisory
(https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx)
was changed to point to a different commit
(https://github.com/flatpak/flatpak/commit/5709f1aaed6579f013
@ahayzen - thanks for the impish debdiff - I was going to sponsor it but
I notice you have used a separate set of patches than those linked to by
debian and NVD for CVE-2022-21682 - does this also need:
https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
?
Also does
** Changed in: flatpak (Ubuntu)
Importance: Undecided => Medium
** Changed in: flatpak (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: flatpak (Ubuntu Focal)
Importance: Undecided => Medium
** Changed in: flatpak (Ubuntu Impish)
Importance: Undecided => Medium
--
You
Please find attached the debdiff for Ubuntu 21.10 impish. I have
performed some testing in a VM and built in a PPA.
** Attachment added: "Impish CVE debdiff"
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1957716/+attachment/5557881/+files/flatpak_impish_lp1957716.debdiff.gz
--
You r
** Changed in: flatpak (Ubuntu Impish)
Status: New => In Progress
** Changed in: flatpak (Ubuntu Impish)
Assignee: (unassigned) => Andrew Hayzen (ahayzen)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launch
** Description changed:
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j (
CVE-2021-43860 )
https://security-tracker.debian.org/tracker/CVE-2021-43860
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx (
CVE-2022-21682 )
http
** Description changed:
[Links]
https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j (
CVE-2021-43860 )
https://security-tracker.debian.org/tracker/CVE-2021-43860
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx (
CVE-2022-21682 )
http
Note that Jammy now has 1.12.3-1 so is fixed.
** Summary changed:
- Update for CVE-2021-43860 and second github advisory
+ Update for CVE-2021-43860 and CVE-2022-21682
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21682
** Description changed:
[Links]
- https://github.com