[Pkg-utopia-maintainers] flatpak_1.16.6-1~deb13u1_source.changes ACCEPTED into proposed-updates

Debian FTP Masters ftpmaster at ftp-master.debian.org
Sat Apr 18 16:18:22 BST 2026 

Thank you for your contribution to Debian.



Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2026 23:58:31 BST
Source: flatpak
Architecture: source
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers at lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv at debian.org>
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha256: 
 f8693a4ea38466ac3e1dddbe357c9e1e72db88ec650176c5ec0ecc23a692b1b2 3741 flatpak_1.16.6-1~deb13u1.dsc
 9cc40d786426b525aaac0a5791bd7e53907e6f4412b885d0d05f3c25fb65bb8d 42712 flatpak_1.16.6-1~deb13u1.debian.tar.xz
 d4d40d758e5869bb745f90472995eae5589b2fb681d024bea0c87e53c18136ab 14950 flatpak_1.16.6-1~deb13u1_source.buildinfo
 1e63e7f3fe44b602f34d92a6fe46fd8a3bc6be9460c03c2681e57976c658eec3 1242088 flatpak_1.16.6.orig.tar.xz
Checksums-Sha1: 
 dca489c4f782b537d5886f021b54fb71be2fb403 3741 flatpak_1.16.6-1~deb13u1.dsc
 1154e7c0756c558c929e7cdb680ffff37036507c 42712 flatpak_1.16.6-1~deb13u1.debian.tar.xz
 450b6aa94af815a4ba6f99700a7a654fcda0b3d8 14950 flatpak_1.16.6-1~deb13u1_source.buildinfo
 735ac6e954b284d9eeaadcd260b4a20483534323 1242088 flatpak_1.16.6.orig.tar.xz
Files: 
 92f5b3bd1f01c69c8bc10f591c8ff4e3 3741 admin optional flatpak_1.16.6-1~deb13u1.dsc
 bfb96ae3f07c04f0671d28bf981eb3a2 42712 admin optional flatpak_1.16.6-1~deb13u1.debian.tar.xz
 fba41629a1efb25e8c08b854742e89b6 14950 admin optional flatpak_1.16.6-1~deb13u1_source.buildinfo
 4c18bbd3a7eb15232030605165b263e3 1242088 admin optional flatpak_1.16.6.orig.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnZgJ4ACgkQI1wJnT6z
MHbmHg//T2xba9rv+DnSjGQyrarwKiWUFV5rRbbbS7U0TnpAXiAQS+d06iCh3OeT
t+GBWG50lEsW6d2GZ9Cvx4V1ZK/wHGmRPDmcDigjVIy1g4H2S/3/9r2rv9LK+uea
NfMiCfExC1ryhvJACEpR3t6I3xWxIpiLsmbGbgqz2oIR0Yvu+0ookb2Oxeq7IGkZ
/LJTksnNhfbfrj+SwxDxMFvoMKzwDg7NhiNiQ9Va0Y59lxKHIPxA5h5r4xXTRXnL
yTk8PrhxJW7NAjexmfxeIFW5OdTUyTkW97i92w/8TA/XTyAiXQFCtOTQiPb/OI2C
YK5NQ3/hg+hL/1Kj03MsN9yRDGwDz7ipUb/q5dvOyIgLr2HPomwX7nZUEdj4BBQi
4Pk6ZYd4+8ayb5w4bZni4hi3xAYSe0ClM1oupLekHS58xXtgrDMKc0p90+EBhwdt
ILC0PG5fyI4TRnmy0oRrxpItLgixev3Wp9b4PRsEH4OmhkO6T1vDFEHB3xe4MPqp
rvpI5hwlh7d3vEiAQ2ytv2DjSG55QCIZIK8tc7BbNPJ45MBbQokgG5YvEzAG/l8u
+fI7va+gE/44cODW/tculgZil5BYINGSzGY+nyJ3sziKK3zAimXlSKrMKnxZ2r+m
i4PTIPMe6mJDZ5deXXpGz+doCzBWWZZGUnuAcEkDGI8Opo6a+uY=
=/a06
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20260418/09d4f518/attachment.sig>

More information about the Pkg-utopia-maintainers mailing list