Package "flatpak"
Name: |
flatpak
|
Description: |
Application deployment framework for desktop apps
|
Latest version: |
1.6.5-0ubuntu0.5 |
Release: |
focal (20.04) |
Level: |
updates |
Repository: |
universe |
Homepage: |
https://flatpak.org/ |
Links
Download "flatpak"
Other versions of "flatpak" in Focal
Packages in group
Deleted packages are displayed in grey.
Changelog
flatpak (1.6.5-0ubuntu0.5) focal-security; urgency=medium
* SECURITY UPDATE: Access outside sandbox
- debian/patches/CVE-2024-42472-1.patch: don't follow symlinks when
mounting persisted directories in common/flatpak-context.c.
- debian/patches/CVE-2024-42472-2.patch: add test coverage for --persist
in test/test-run.sh.
- debian/patches/CVE-2024-42472-3.patch: add --bind-fd and --ro-bind-fd to
bubblerap.c.
- debian/control: makes flatpak depend on bubblerap with --bind-fd feature
backported to avoid race condition (LP: #2077087)
- CVE-2024-42472
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 24 Sep 2024 20:03:34 -0300
|
Source diff to previous version |
2077087 |
CVE-2024-42472: Access to files outside sandbox for apps using persistent= (--persist) |
CVE-2024-42472 |
Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app us |
|
flatpak (1.6.5-0ubuntu0.4) focal-security; urgency=medium
* SECURITY UPDATE: Sandbox bypass via recent VFS-manipulating syscalls
(LP: #1946578)
- debian/paches/CVE-2021-41133-1.patch
- debian/paches/CVE-2021-41133-2.patch
- debian/paches/CVE-2021-41133-3.patch
- debian/paches/CVE-2021-41133-4.patch
- debian/paches/CVE-2021-41133-5.patch
- debian/paches/CVE-2021-41133-6.patch
- debian/paches/CVE-2021-41133-7.patch
- debian/paches/CVE-2021-41133-8.patch
- debian/paches/CVE-2021-41133-9.patch
- debian/paches/CVE-2021-41133-10.patch
- CVE-2021-41133
-- Andrew Hayzen <email address hidden> Wed, 13 Oct 2021 00:36:35 +0100
|
Source diff to previous version |
1946578 |
Update for CVE-2021-41133 |
CVE-2021-41133 |
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In versions prior to 1.10.4 and 1.12.0, Flatpak |
|
flatpak (1.6.5-0ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via crafted .desktop file
(LP: #1918482)
- debian/patches/CVE-2021-21381-1.patch: Disallow @@ and @@u usage in
desktop files.
- debian/patches/CVE-2021-21381-2.patch: dir: Reserve the whole @@
prefix.
- debian/patches/CVE-2021-21381-3.patch: dir: Refuse to export
.desktop files with suspicious uses.
- CVE-2021-21381
-- Andrew Hayzen <email address hidden> Fri, 05 Mar 2021 22:21:25 +0000
|
Source diff to previous version |
1918482 |
Update for CVE-2021-21381 |
CVE-2021-21381 |
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before versi |
|
flatpak (1.6.5-0ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Flatpak sandbox escape via spawn portal (LP: #1911473)
- debian/patches/CVE-2021-21261-1.patch: tests: Add minimal version
of "ok" helper.
- debian/patches/CVE-2021-21261-2.patch: common: Add a backport of
G_DBUS_METHOD_INVOCATION_HANDLED.
- debian/patches/CVE-2021-21261-3.patch: run: Convert all environment
variables into bwrap arguments.
- debian/patches/CVE-2021-21261-4.patch: tests: Expand coverage for
environment variable overrides.
- debian/patches/CVE-2021-21261-5.patch: context: Add --env-fd option.
- debian/patches/CVE-2021-21261-6.patch: portal: Convert --env in
extra-args into --env-fd.
- debian/patches/CVE-2021-21261-7.patch: tests: Exercise --env-fd.
- debian/patches/CVE-2021-21261-8.patch: portal: Do not use
caller-supplied variables in environment.
- debian/patches/CVE-2021-21261-9.patch: tests: Assert that --env= does
not go in `flatpak run` or bwrap environ.
- CVE-2021-21261
-- Andrew Hayzen <email address hidden> Wed, 13 Jan 2021 21:09:15 +0000
|
Source diff to previous version |
1911473 |
Update for ghsa-4ppf-fxf6-vxg2 |
CVE-2021-21261 |
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` ser |
|
flatpak (1.6.5-0ubuntu0.1) focal; urgency=medium
* New upstream release 1.6.5 (LP: #1884594)
- Backports some of the OCI authenticator fixes from the 1.7 series
- Fix a use-after free in libflatpak
- Don't list p2p downgrades in list of available updates
- Install gdm env.d fragment, but only as an example file.
It is harmful on systems where environment.d(5) works (in particular
systems using systemd), because it overwrites additions to the
XDG_DATA_DIRS coming from other app frameworks like Snap.
However, using either this fragment or manual configuration might
be necessary on non-systemd systems. See
/usr/share/doc/flatpak/README.Debian for more details. (LP: #1801814)
- debian/flatpak.README.Debian: Add
-- Andrew Hayzen <email address hidden> Wed, 08 Jul 2020 00:34:35 +0000
|
1884594 |
[SRU] [focal] New upstream microrelease flatpak 1.6.5 |
1801814 |
Environment overwrites XDG_DATA_DIRS |
|
About
-
Send Feedback to @ubuntu_updates