[From nobody Thu Apr 23 14:05:06 2026 Received: (at 1132945-done) by bugs.debian.org; 23 Apr 2026 13:03:02 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-106.1 required=4.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA, FROMDEVELOPER,FVGT_m_MULTI_ODD,SPF_HELO_NONE,SPF_NONE, UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST,VERSION autolearn=unavailable autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 0; hammy, 139; neutral, 32; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:56220) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wFthu-00CwWn-1l; Thu, 23 Apr 2026 13:03:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=RtHl3hgrP+NzgeFZVP+9P7vQFn9z2ooRcnxE0Hn2XIM=; b=kOyGr/c0dYtmuNJm1eNbXx5Ncm Tt/g3lK7qAwopY6h08NJAM1HL8x30DmvKD1/tF5VNYVJ5R21WfyTymkjgU3XwtE/e94ANy9FUgbro EbDnzwFQQ2AdES4EUL54EbIoTUHBC6OWnqbhqejT78pWYcXZfUTi5ho7thmRpj/JDDgOOel8RjwLB CJ0mkCsnsLq+6CB5+b5mYfU86A6F0HhW7VVolRvTMre+awbxvi49dsFw4JTESJzJRJnurq2/CgeIf kv7S7gk2ADSvtYjZK1epHeIqxVe3Dyu9hHyn/Lq2srUZKV5PNCUyCoDzKMp0y/cZuCLb4R0YNw5WB e+u7smNw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wFths-002Pnn-2D; Thu, 23 Apr 2026 13:03:00 +0000 Date: Thu, 23 Apr 2026 14:02:58 +0100 From: Simon McVittie <smcv@debian.org> To: 1132946-done@bugs.debian.org Cc: 1132945-done@bugs.debian.org, team@security.debian.org Subject: Re: flatpak: GHSA-2fxp-43j9-pwvc, GHSA-89xm-3m96-w3jg Message-ID: <aeoYgsf2OvtcMxjk@definition.pseudorandom.co.uk> References: <adV6OeQqm63fzRBR@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <adV6OeQqm63fzRBR@definition.pseudorandom.co.uk> X-Debian-User: smcv X-CrossAssassin-Score: 2 Version: 1.14.10-1~deb12u2 https://bugs.debian.org/1132946 / TEMP-1132946-5EDD2C / GHSA-2fxp-43j9-pwvc >In Flatpak older than 1.16.4, a local user can obtain read access to any >file that is readable by the user account running flatpak-system-helper https://bugs.debian.org/1132945 / TEMP-1132945-4CEFB2 / GHSA-89xm-3m96-w3jg >Flatpak older than 1.16.4 has an issue in which one local user can >use the CancelPull method to cancel an ongoing download by a second >local user These two non-CVE security issues were fixed in bookworm in the same upload as CVE-2026-34078 and CVE-2026-34079. Please could the security team update the security tracker accordingly, if closing the bugs doesn't automatically do that? Thanks, smcv]