@Paulo, Thanks ! BTW smcv just pointed out two more potential patches that could be included in the focal 1.6 patch, these are only for users that use setuid on the bubblewrap binary though (users who disable user namespaces - like Debian). It would be up to us if we want to include them. See https://github.com/flatpak/flatpak/pull/4070#issuecomment-764664659 I can try and include these extra two commits if you think it is useful, but not sure how many users would do this or if it would be considered "supported" ?
For bionic note that the flatpak-1.2.x branch has the fixes applied (with extra setuid patches here https://github.com/flatpak/flatpak/pull/4087 ) these may help for figuring out 1.0.x And what would the security team prefer to do for groovy ? We could either sync 1.8.5 from hirsute or apply the patches to 1.8.2 ? (although looks like 1.10.0-2 is in hirsute-proposed, so might have to be quick :') unless we can sync an older version somehow ) Please advise if you want me to attempt any other areas :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1911473 Title: Update for ghsa-4ppf-fxf6-vxg2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1911473/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs