** Description changed: - Another bubblewrap security issue. This has been fixed in Debian and - upstream in both bubblewrap and Flatpak which need to be updated at the - same time. + Another bubblewrap security issue for yakkety. Changelogs are derived from Debian's. This has already been fixed in Debian and zesty. + This has been fixed in Debian and upstream in both bubblewrap and Flatpak which need to be updated at the same time. - I've been wanting to update Flatpak to 0.8 anyway (LP: #1656712) since - December but was waiting to get bubblewrap taken care of first to make - it simpler. Now I guess we'll do it all together. + For Flatpak, this is just backporting + https://github.com/flatpak/flatpak/commit/902fb7139 - There are three affected packages in yakkety: - - bubblewrap - - flatpak - - ostree (new version needed for new flatpak) + For bubblewrap, there's only a few other bugfixes added in the new upstream version 0.1.7 since 0.1.5 so I think we'd be better off just taking the new version: + https://github.com/projectatomic/bubblewrap/releases + https://github.com/projectatomic/bubblewrap/commits/master - I'll attach debdiffs here for them. - - I propose we do like the last bubblewrap update and build these as - security updates but age them for 7 days first like SRUs. + Originally, I mixed this bug with LP: #1656712 but it's a lot simpler + now.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
