[Pkg-utopia-maintainers] flatpak_1.10.5-0+deb11u1~bpo10+1_source.changes ACCEPTED into buster-backports->backports-policy, buster-backports
Debian FTP Masters
ftpmaster at ftp-master.debian.org
Wed Oct 20 08:17:42 BST 2021
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 12 Oct 2021 23:07:15 +0100
Source: flatpak
Architecture: source
Version: 1.10.5-0+deb11u1~bpo10+1
Distribution: buster-backports
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers at lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv at debian.org>
Closes: 995935
Changes:
flatpak (1.10.5-0+deb11u1~bpo10+1) buster-backports; urgency=medium
.
* Rebuild for buster-backports.
- Revert "debian/control: Add libmalcontent-0-dev to the
build-dependencies". It wasn't available in buster.
- Revert "Add Suggests on malcontent-gui".
- Downgrade dbus from Depends to Recommends.
It only needed to be a Depends for the libmalcontent integration,
but it is necessary for system-wide installations (without --user),
so a Recommends still seems appropriate.
* Note that this backport requires libseccomp2 (>= 2.5.0) from
buster-backports. This is necessary in order to prevent clone3()
when using backported bullseye kernels.
.
flatpak (1.10.5-0+deb11u1) bullseye-security; urgency=medium
.
* New upstream stable release 1.10.4
- Don't allow VFS manipulation which could be used to trick portals
into allowing unintended access to host
(Closes: #995935, CVE-2021-41133, GHSA-67h7-w3jq-vh4q)
- Fix parental controls check when installing system-wide as non-root
- OCI now uses the pax tar format, which handles large files better
than GNU tar
- tests: Fix test-sideload.sh if ostree is built with curl backend
(this change is unnecessary but harmless in the configuration used
in Debian)
* New upstream stable release 1.10.5
- Fix regressions in 1.12.0 with extra data or --allow=multiarch.
This only partially prevents use of VFS-manipulating syscalls if a
newer kernel is used with an older libseccomp, but that's the best
we will be able to achieve without new features in libseccomp and/or
bubblewrap.
* d/control: Build-depend on libseccomp 2.5.0.
This ensures that we can block creation of new user namespaces via
clone3(), which should be enough to prevent CVE-2021-41133 on
at least Debian 11 kernels (Linux 5.10). It also allows blocking most
of the syscalls we want to block; we cannot guarantee to be able to
block mount_setattr(), which was only added in libseccomp 2.5.2, but
that syscall was new in Linux 5.12.
* d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
Fix error handling for syscalls that are only allowed with --devel
Checksums-Sha1:
84facde190fefad728618586f29614214c1849f0 3701 flatpak_1.10.5-0+deb11u1~bpo10+1.dsc
217cfe7bcb9247b881ebe03de1bfb107f06d5091 32620 flatpak_1.10.5-0+deb11u1~bpo10+1.debian.tar.xz
808c0df36dbb6c203c57c06d572bb0e0f5cfd4e1 13159 flatpak_1.10.5-0+deb11u1~bpo10+1_source.buildinfo
Checksums-Sha256:
55b6882cceeba113180b130eac8aaa4f235b6c5878798eb8c4dc122fa14bb1a1 3701 flatpak_1.10.5-0+deb11u1~bpo10+1.dsc
2be85e824d101ace14e81b3b764f250372289e61814bca461a7978f4fcc18d3d 32620 flatpak_1.10.5-0+deb11u1~bpo10+1.debian.tar.xz
d3a1f17532ce2fa83056eb8e6f815f6a2435925e053c5a398eed2b9bf70cc080 13159 flatpak_1.10.5-0+deb11u1~bpo10+1_source.buildinfo
Files:
809453d3515ba5b7969f1c5e8018d4b0 3701 admin optional flatpak_1.10.5-0+deb11u1~bpo10+1.dsc
74dae01e7f74a23adaca607e722cc4b7 32620 admin optional flatpak_1.10.5-0+deb11u1~bpo10+1.debian.tar.xz
4b907b2baa7b3a1eb962a9a074c36936 13159 admin optional flatpak_1.10.5-0+deb11u1~bpo10+1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmFpuVcACgkQ4FrhR4+B
TE9JjA/+JwnZOZ4W136YCqWrSzxqhJEd7/B1Upvi/PZ1vqNiavzNyN6O7ap00iBb
XhM/j6qIRIrt0KSgI8QqT7c9sanCYtl5YwuVWSOG76RN3RDAX6k1SL7gx5FgaFb8
SKhe5baBpJ0SvuoDA/xbNA27Inp7AslQN9lIm2FHGw66XZGWxO6AlZviG87Gi9EL
a7szAzEzhoHgHhigXQvKYIC0GgspktDOgp/IseBVDPtZNky0oU1aNMlBSzwli/z6
sZDy90uu0ZkBwu+sbuF/D4CdC2ZxWrgcy8Qhb2PWhsS5nHe8uJpvRIDJ/HLaqM5J
yv6CK5sYL/yExj1PKJ6+dAMVTNayEzllIqCMOiy75/5zfPPFqPQR+vkdUdn39yEQ
fnUi/RspTW2pe+in6tvIW3KNISpf6HUbV2NIX0QxlVKSw8LD1JbFef/WkYpm8kC3
yrbcs9aEHqzsGKaD+wqzaSvO0YrFT4/zeX4Tbw1f1v4608zPF+iQP0vm5Kpt16O2
/wa+lOiC1uwiU0d1d+ND35HVHNTWZX8exE4vDuxkaGNrEe6RBFV4Mo5cKi1cIYoM
3JSmTVI2F+pks5imvTazUZjxQ34nu8TGZ42HdOz7+Oj0KTmcP3dto5S1f8BCWWM+
8IVWcN/KpEgmTdayR37b4NSwSJ3EFlipU6pAxEbK6jJKsP3t9PA=
=toS2
-----END PGP SIGNATURE-----
Thank you for your contribution to Debian.
More information about the Pkg-utopia-maintainers
mailing list