Bug#1136299: yelp: security vulnerability fixed in 49.1
Jeremy Bícha
jbicha at debian.org
Mon May 11 18:36:16 BST 2026
Source: yelp
Version: 49.0-1
Severity: serious
Tags: security upstream bookworm trixie
X-Debbugs-CC: team at security.debian.org
Sandbox escape hardening was done in yelp's recent 49.1 release that
was discussed more today at
https://blogs.gnome.org/mcatanzaro/2026/05/11/flatpak-sandbox-escape-via-yelp/
A CVE has been requested, but we don't need to wait for it to be
assigned to fix this issue.
The issue is fixed with these 2 upstream commits:
https://gitlab.gnome.org/GNOME/yelp/-/commit/d220aa2f754eed4e6a006a4acaa68b31892dea2b
https://gitlab.gnome.org/GNOME/yelp/-/commit/c8c8244c8a812860782d635890c9b6c43ecc2639
This issue has already been fixed in unstable.
Thank you,
Jeremy Bícha
More information about the pkg-gnome-maintainers
mailing list