[From nobody Sat Apr 18 16:19:05 2026 Received: (at 1132944-close) by bugs.debian.org; 18 Apr 2026 15:18:25 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-113.0 required=4.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FVGT_m_MULTI_ODD, HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_NONE,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 85; hammy, 150; neutral, 227; spammy, 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK, 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo., 0.000-+--H*MI:fasolo Return-path: <envelope@ftp-master.debian.org> Received: from mitropoulos.debian.org ([2001:648:2ffc:deb:216:61ff:fe9d:958d]:58450) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wE7RB-00H10j-0v for 1132944-close@bugs.debian.org; Sat, 18 Apr 2026 15:18:25 +0000 Received: via submission from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA, CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified) by mitropoulos.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <envelope@ftp-master.debian.org>) id 1wE7R9-008ORV-1c for 1132944-close@bugs.debian.org; Sat, 18 Apr 2026 15:18:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type: Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:In-Reply-To:References; bh=KfuagKgmRKbwblqbTPFCUmRsj+TN/0HQN7Sc70TMfWM=; b=fEjG67gFGY2TtpCYhqWa0Yy8H+ jRX4oxocJycNgdns/DxDo/oAQ7DGLQesRQbyltBm2tODyhwVbCqD15mUAOxXb3t92ZnIxHOq9zsSR ia1bLU9b+cNMU9nxktyza860QkYy618MwJT7RW57/LKlVNYFe3ytRV+ig8DZLz5nNhpCnrnNJoygy RCx7OyxwoVx6TyJMhMdmH10PC7UdoE1hlZLdzezl6xMqwDycMzoiO6BC/hWXBYaB2+sF1aP2Ee+aO 7roKQKUwKpn2SqXCSrKtwq3lbwQILg06vu3+3guTIdP7QYYYmBXExDyhTRVxwiQvx1PeBUMiZxQKj Htnf0l4A==; Received: from dak by fasolo.debian.org with local (Exim 4.98.2) (envelope-from <envelope@ftp-master.debian.org>) id 1wE7R8-0000000Ga4I-12iH; Sat, 18 Apr 2026 15:18:22 +0000 From: Debian FTP Masters <ftpmaster@ftp-master.debian.org> Reply-To: Simon McVittie <smcv@debian.org> To: 1132944-close@bugs.debian.org X-DAK: dak process-policy X-Debian: DAK X-Debian-Package: flatpak Debian: DAK Debian-Changes: flatpak_1.16.6-1~deb13u1_source.changes Debian-Source: flatpak Debian-Version: 1.16.6-1~deb13u1 Debian-Architecture: source Debian-Suite: proposed-updates Debian-Archive-Action: accept MIME-Version: 1.0 Subject: Bug#1132944: fixed in flatpak 1.16.6-1~deb13u1 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="===============7428356422947078803==" Message-Id: <E1wE7R8-0000000Ga4I-12iH@fasolo.debian.org> Date: Sat, 18 Apr 2026 15:18:22 +0000 --===============7428356422947078803== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Source: flatpak Source-Version: 1.16.6-1~deb13u1 Done: Simon McVittie <smcv@debian.org> We believe that the bug you reported is fixed in the latest version of flatpak, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1132944@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <smcv@debian.org> (supplier of updated flatpak package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2026 23:58:31 BST Source: flatpak Architecture: source Version: 1.16.6-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debi= an.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 1132943 1132944 1132945 1132946 Changes: flatpak (1.16.6-1~deb13u1) trixie-security; urgency=3Dhigh . * Backport new upstream stable release for Debian 13 - Fix a sandbox escape involving symlinks passed to flatpak-portal. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943) - Prevent arbitrary file deletion outside the sandbox by a malicious or compromised Flatpak app (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944) - Prevent a local user from reading any file that is readable by the _flatpak system user. A mitigation is that it would be very unusual for these files not to be readable by the original local user as well. (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946) - Prevent a local user from making another local user unable to cancel an ongoing download of apps or runtimes installed system-wide via the system helper. (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945) - Various fixes for regressions caused when fixing CVE-2026-34078 * Revert changes that are not appropriate for a stable update: - Revert "d/watch: Convert to v5 format, only watch stable (even-numbered) releases" - Revert "Standards-Version: 4.7.3" Checksums-Sha256:=20 f8693a4ea38466ac3e1dddbe357c9e1e72db88ec650176c5ec0ecc23a692b1b2 3741 flatpa= k_1.16.6-1~deb13u1.dsc 9cc40d786426b525aaac0a5791bd7e53907e6f4412b885d0d05f3c25fb65bb8d 42712 flatp= ak_1.16.6-1~deb13u1.debian.tar.xz d4d40d758e5869bb745f90472995eae5589b2fb681d024bea0c87e53c18136ab 14950 flatp= ak_1.16.6-1~deb13u1_source.buildinfo 1e63e7f3fe44b602f34d92a6fe46fd8a3bc6be9460c03c2681e57976c658eec3 1242088 fla= tpak_1.16.6.orig.tar.xz Checksums-Sha1:=20 dca489c4f782b537d5886f021b54fb71be2fb403 3741 flatpak_1.16.6-1~deb13u1.dsc 1154e7c0756c558c929e7cdb680ffff37036507c 42712 flatpak_1.16.6-1~deb13u1.debi= an.tar.xz 450b6aa94af815a4ba6f99700a7a654fcda0b3d8 14950 flatpak_1.16.6-1~deb13u1_sour= ce.buildinfo 735ac6e954b284d9eeaadcd260b4a20483534323 1242088 flatpak_1.16.6.orig.tar.xz Files:=20 92f5b3bd1f01c69c8bc10f591c8ff4e3 3741 admin optional flatpak_1.16.6-1~deb13u= 1.dsc bfb96ae3f07c04f0671d28bf981eb3a2 42712 admin optional flatpak_1.16.6-1~deb13= u1.debian.tar.xz fba41629a1efb25e8c08b854742e89b6 14950 admin optional flatpak_1.16.6-1~deb13= u1_source.buildinfo 4c18bbd3a7eb15232030605165b263e3 1242088 admin optional flatpak_1.16.6.orig.= tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnZgJ4ACgkQI1wJnT6z MHbmHg//T2xba9rv+DnSjGQyrarwKiWUFV5rRbbbS7U0TnpAXiAQS+d06iCh3OeT t+GBWG50lEsW6d2GZ9Cvx4V1ZK/wHGmRPDmcDigjVIy1g4H2S/3/9r2rv9LK+uea NfMiCfExC1ryhvJACEpR3t6I3xWxIpiLsmbGbgqz2oIR0Yvu+0ookb2Oxeq7IGkZ /LJTksnNhfbfrj+SwxDxMFvoMKzwDg7NhiNiQ9Va0Y59lxKHIPxA5h5r4xXTRXnL yTk8PrhxJW7NAjexmfxeIFW5OdTUyTkW97i92w/8TA/XTyAiXQFCtOTQiPb/OI2C YK5NQ3/hg+hL/1Kj03MsN9yRDGwDz7ipUb/q5dvOyIgLr2HPomwX7nZUEdj4BBQi 4Pk6ZYd4+8ayb5w4bZni4hi3xAYSe0ClM1oupLekHS58xXtgrDMKc0p90+EBhwdt ILC0PG5fyI4TRnmy0oRrxpItLgixev3Wp9b4PRsEH4OmhkO6T1vDFEHB3xe4MPqp rvpI5hwlh7d3vEiAQ2ytv2DjSG55QCIZIK8tc7BbNPJ45MBbQokgG5YvEzAG/l8u +fI7va+gE/44cODW/tculgZil5BYINGSzGY+nyJ3sziKK3zAimXlSKrMKnxZ2r+m i4PTIPMe6mJDZ5deXXpGz+doCzBWWZZGUnuAcEkDGI8Opo6a+uY=3D =3D/a06 -----END PGP SIGNATURE----- --===============7428356422947078803== Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCaeOgvgAKCRCb9qggYcy5 IYjWAQDBMkgvTvrqkeP/OvNWuH/O2om7AQa7NgKH5SsRmns6wQEAsU6E/pvd1uWW o/VuB/HSkJAhZCtyrbEZsqcHnm1pbwk= =z0YX -----END PGP SIGNATURE----- --===============7428356422947078803==-- ]