Announcing Flatpak 1.14.6 (security fix release)
Simon McVittie
smcv at collabora.com
Thu Apr 18 16:52:44 UTC 2024
Available here: https://github.com/flatpak/flatpak/releases/tag/1.14.6
This is a maintenance release fixing security issues.
$ sha256sum -b flatpak-1.14.6.tar.xz
538f36b2c6f8c70eefd12d13ad5b1ad830820106a8bd3a9f6b8e4d9de81e4946 *flatpak-1.14.6.tar.xz
Security fixes:
* Don't allow an executable name to be misinterpreted as a command-line
option for bwrap(1). This prevents a sandbox escape where a malicious
or compromised app could ask xdg-desktop-portal to generate a .desktop
file with access to files outside the sandbox. (CVE-2024-32462)
Other bug fixes:
* Don't parse <developer><name/></developer> as the application name
(#5700)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20240418/f9efaa38/attachment.sig>
More information about the Flatpak
mailing list