Tracking bug for flatpak April security update
Bug #1679433 reported by
Jeremy Bícha
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flatpak (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Confirmed
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
.
information type: | Public → Public Security |
Changed in flatpak (Ubuntu Zesty): | |
status: | New → Fix Released |
Changed in flatpak (Ubuntu Artful): | |
status: | New → Fix Released |
Changed in flatpak (Ubuntu Yakkety): | |
status: | New → Confirmed |
To post a comment you must log in.
This bug was fixed in the package flatpak - 0.8.5-1
---------------
flatpak (0.8.5-1) unstable; urgency=medium
* New upstream bugfix release wide-installed apps in-the- middle cannot cause a downgrade to an older app trivial- httpd replacement
* Upstream security fixes:
- dbus-proxy: Fix a use-after-free (no specific exploit is known)
and several memory leaks
- system-helper: Correct the check that was meant to prevent
unprivileged users from downgrading system-
- Do not allow downgrading apps to validly-signed older versions
unless a specific older version is requested, so that a
man-
version with a vulnerability
* Other upstream fixes:
- Increase GLib build-dependency to 2.44 (in practice this was
already required, there is a patch in jessie-backports to
relax this)
- Collect system extension references from all system directories,
not just the first that exists (upstream issue 654)
- Stop using ostree trivial-httpd, which is not available in
post-stretch ostree (upstream issues 658, 723)
- Be build-time compatible with post-stretch ostree (upstream
issue 756)
- Strip ?query suffix before detecting whether a URI points to a
.flatpakref or .flatpakrepo file (upstream issue 659)
- Fix a typo in help output
* d/tests/control: most tests now require python, for the
ostree-
-- Simon McVittie <email address hidden> Mon, 03 Apr 2017 16:35:44 +0100
flatpak (0.8.4-3) unstable; urgency=medium
* Mark the one remaining patch as applied in 0.9.1
* Upload to unstable
-- Simon McVittie <email address hidden> Wed, 15 Mar 2017 18:43:51 +0000