[From nobody Mon May 11 18:43:05 2026 Received: (at submit) by bugs.debian.org; 11 May 2026 17:36:56 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-106.5 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, FROMDEVELOPER,MD5_SHA1_SUM,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 17; hammy, 117; neutral, 26; spammy, 1. spammytokens:0.933-+--today hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <jbicha@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:44526) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <jbicha@debian.org>) id 1wMUYq-006jAZ-0X for submit@bugs.debian.org; Mon, 11 May 2026 17:36:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Transfer-Encoding:Content-Type :To:Subject:Message-ID:Date:From:MIME-Version:Reply-To:Cc:Content-ID: Content-Description:In-Reply-To:References; bh=iytMiDOdj69pdq7JAhCbT0gsqTFxQHhfbZI/Ti4mFvw=; b=vvsAs9qpEg0bOMLYiBCOajvbP6 E8bz/TxSGhNo5Fx+EfYQMe6Els9OhsvF6IAc91824HFRf2erC/8reBC2zNw33pWWA0/t+Wlr1Wbf8 vPBml82Opk8U60zlsby+Rp1ZFWTRt6uM+m6I6xbtHPD8DPfGg+ov6nssuqtkdm2/W7unZAfy15iSG GwSveLYZBF1//iS0v8/nNVe9U08PZ86hqcLxk7ZgoXPmTZk+3AB2So5gH9oa7orsbHlFPqa5iregN nowX2O1DKOOXDvmCiZRI+vgbDO6VyeiSpYIRjjgFUjaHbLJ6oCNa4Uf0hvl7Mrr2TfCDqtW2o2TL1 i5G8rmlQ==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim 4.96) (envelope-from <jbicha@debian.org>) id 1wMUYn-001lWz-34 for submit@bugs.debian.org; Mon, 11 May 2026 17:36:54 +0000 Received: by mail-ed1-f46.google.com with SMTP id 4fb4d7f45d1cf-67f94c078e8so2412039a12.1 for <submit@bugs.debian.org>; Mon, 11 May 2026 10:36:53 -0700 (PDT) X-Gm-Message-State: AOJu0YyfYNvNl8voVczlQOu8KVr2YYHTvzwU8TvsaeTW2ZWN2zexCU9i Sf8CmFcsvpkAsnH9aE524dkkGUv5rOtrFwuJMt5LDe/Q3Y2y59vcUFuyeA1snFzgPBacfsc7SuL 3nR87xkhxVFMh+0d36wbvKzBADB0RVRWM4iWUX47Kt0LER9DQWD2I/Z2Zx7dZkM9Rlg99ffBf+O 0bvSFQgrMu4+5wzNggFxQ/LA== X-Received: by 2002:a05:6402:5411:b0:67b:89f5:26c7 with SMTP id 4fb4d7f45d1cf-67d64c902a0mr12847958a12.26.1778521012832; Mon, 11 May 2026 10:36:52 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?Q?Jeremy_B=C3=ADcha?= <jbicha@debian.org> Date: Mon, 11 May 2026 13:36:16 -0400 X-Gmail-Original-Message-ID: <CAAajCMYdtiUvAd2RnO0GBKqsf25O-d9Bkekydg-TmHObPqDOQw@mail.gmail.com> X-Gm-Features: AVHnY4Jq-h51QmpinU30yDZupEuFv3Pa2sG5otd2oq0VMdDcFJp7wRER2CTBcHE Message-ID: <CAAajCMYdtiUvAd2RnO0GBKqsf25O-d9Bkekydg-TmHObPqDOQw@mail.gmail.com> Subject: yelp: security vulnerability fixed in 49.1 To: submit <submit@bugs.debian.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Debian-User: jbicha Delivered-To: submit@bugs.debian.org Source: yelp Version: 49.0-1 Severity: serious Tags: security upstream bookworm trixie X-Debbugs-CC: team@security.debian.org Sandbox escape hardening was done in yelp's recent 49.1 release that was discussed more today at https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-ye= lp/ A CVE has been requested, but we don't need to wait for it to be assigned to fix this issue. The issue is fixed with these 2 upstream commits: https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b= 31892dea2b https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6= c43ecc2639 This issue has already been fixed in unstable. Thank you, Jeremy B=C3=ADcha ]