[From nobody Thu Apr 9 23:21:03 2026 Received: (at 1133099-close) by bugs.debian.org; 9 Apr 2026 22:19:06 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-114.1 required=4.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE, USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 96; hammy, 150; neutral, 124; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo. Return-path: <envelope@ftp-master.debian.org> Received: from muffat.debian.org ([2607:f8f0:614:1::1274:33]:56778) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wAxiM-00ABzE-2u for 1133099-close@bugs.debian.org; Thu, 09 Apr 2026 22:19:06 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by muffat.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wAxiL-00GOok-36 for 1133099-close@bugs.debian.org; Thu, 09 Apr 2026 22:19:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=SGlDUROj45oA4To64eFrZr0Mx0Bi9+WMaTtRUCIiLUY=; b=sr6p74/hxoAv5SdckXnwsGbI50 noOq3SbvHCsohnn6Wh5FbHc4E5z3U0NSxfpzQk2ZCl9mJO1c52gKX0XDiIopQ6dkXek8f210VTRle GLe1KqwCLF4U6O4CSlP7CIBe6oyg+IHEQfRbPYDyVpe+QAcwHzjtAe7uK+kALa+hkl56zWmd0jcZ+ AKjUXZRrxrT0ml3mQWqd9P0F8Y6H6y9Unq+0Ylsd+udhKl9B8RFSe6HWHnMGF0RTXHrExsoJ16GQo S8XaFjNsZqGojIcjUt2aC14ZyDADWUejYFCPboDm7FLJ9yoK8lwMYm70tfUGR9rzu8QVwvKAsya9J yTccb3OA==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wAxiL-0000000F2Gf-0XCC; Thu, 09 Apr 2026 22:19:05 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Simon McVittie <smcv@debian.org> To: 1133099-close@bugs.debian.org X-DAK: dak process-upload X-Debian: DAK X-Debian-Package: flatpak-builder Debian: DAK Debian-Changes: flatpak-builder_1.4.8-1_source.changes Debian-Source: flatpak-builder Debian-Version: 1.4.8-1 Debian-Architecture: source Debian-Suite: unstable Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1133099: fixed in flatpak-builder 1.4.8-1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============6861145585775154434==" Message-Id: <E1wAxiL-0000000F2Gf-0XCC@fasolo.debian.org> Date: Thu, 09 Apr 2026 22:19:05 +0000 --===============6861145585775154434== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: flatpak-builder Source-Version: 1.4.8-1 Done: Simon McVittie <smcv@debian.org> We believe that the bug you reported is fixed in the latest version of flatpak-builder, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1133099@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <smcv@debian.org> (supplier of updated flatpak-builder package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 09 Apr 2026 22:43:46 +0100 Source: flatpak-builder Architecture: source Version: 1.4.8-1 Distribution: unstable Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debi= an.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 1133099 Changes: flatpak-builder (1.4.8-1) unstable; urgency=3Dhigh . * New upstream security fix release - Fix arbitrary file read if building a Flatpak app from a malicious manifest or source code (CVE-2026-39977, GHSA-6gm9-3g7m-3965) (Closes: #1133099) * d/copyright: Update Checksums-Sha1: 46687664c1bbcb7ca9019d0498d16ee6c45e638c 2747 flatpak-builder_1.4.8-1.dsc 680401bf389b85f91d79bd58ac56b5ceb0437a82 629584 flatpak-builder_1.4.8.orig.t= ar.xz cdd1b5fc3d85cdb4112da367d8733253470af0ca 8880 flatpak-builder_1.4.8-1.debian= .tar.xz e81d759c9ac83886156608cd4e789497d46e1d87 13358 flatpak-builder_1.4.8-1_sourc= e.buildinfo Checksums-Sha256: 9b353e465fdf6a63ec05dce1fe3dbe69f40c367f60e44fc56cf286a5b6aa7599 2747 flatpa= k-builder_1.4.8-1.dsc 66900a8ad194623297cba210b821438ed26a189f908dbe3ae8af6e1d2666337f 629584 flat= pak-builder_1.4.8.orig.tar.xz 8511513c711f5d720938858c099773a2d918ff69a11bc4415e13effa8cc4ae1e 8880 flatpa= k-builder_1.4.8-1.debian.tar.xz 0edadc043fda8e179b6880c90cf22b157c1427fa45f5651c7e1fd3d86028f67e 13358 flatp= ak-builder_1.4.8-1_source.buildinfo Files: 7e74210ea09c7bce6b05630fcbb3d5b0 2747 devel optional flatpak-builder_1.4.8-1= .dsc bb909194b0f58edcd7451f532eb286bd 629584 devel optional flatpak-builder_1.4.8= .orig.tar.xz 88ed016f594f6c7e18b197805af513d6 8880 devel optional flatpak-builder_1.4.8-1= .debian.tar.xz caab0e176e55827d3ab99a469d4cc0fd 13358 devel optional flatpak-builder_1.4.8-= 1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnYI5UACgkQI1wJnT6z MHYHWBAArLL4hpW3MJCESEmZAjW3/aJxG3pYUBrZKM8+8ENuISCkuuCSxr2oWH0y Iz6dbUybuIJXySq2Zy2FzYUOyC1ldreZSBxlJ4fw0CrbDkQxDng5mnOhLeicUPgW FguvA6PayiEFMHQcTEavX4zWmx4M69WTq57lya6dT2RK4yQuaDGKWP+KHknl0jod mpTQuL9H3eQIJNOuc9j6ZStfuqx1+3+RG0fs59eX9dHQLkHcIfathCDLYkPGU1pF pksjtELC498xomWlXESAbJZ/lR3gAN2hqIKDszG6VARBeS4Jv4Ebt/fRyKQHXhKO PvXAgjEfv8kVYSLK+mAoYfPJLogDKb+e/2o3fC40q3L/ViT1x+Hnl56emfA+Vox5 PYIoSnPPOaaYdPIB9T54oCyZ7V6OQc48Z54SaAx+yTcwfsV+VDlO9IYp0D7Z4Nb0 w7d8dFccC3SJtrPhcOzCilqNahtqrGlbBUmuzuTtVnsX2alNE8MDCbmd2VWB1qUm Z0ApoDfQtTayr2Gw4s0zXwrBOZNJNfqYI3sOFCQQ8Bo0cY75+hvt8kZjRIl4SULN Y0+CvmTg85xlhHs1VKt4yX6I0R6+mi7AQLkLmR94eJRgXnJKRO4dGVFXlnpudSli sL3Qy7YpGsxmMvhTRkdLZHoulff8QGYT9D9wYCiHrxS93n6+UtE=3D =3D7grk -----END PGP SIGNATURE----- --===============6861145585775154434== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCadgl2QAKCRCb9qggYcy5 IVchAQDkF0hY3MYYpp/WKdJptQbPoIMYFRJUxviWS9bz9HHRlQEAwblGq2OPhxPY phJOWpfJROBIKw01zeHgxLrLPuggDAg= =B75A -----END PGP SIGNATURE----- --===============6861145585775154434==-- ]