Announcing Flatpak 1.15.10 (development prerelease)
Simon McVittie
smcv at collabora.com
Wed Aug 14 16:47:33 UTC 2024
Available here: https://github.com/flatpak/flatpak/releases/tag/1.15.10
6aa67ca29b4f4da74654888446710b16c9fcfe640c324a51c5025087eecbf42f *flatpak-1.15.10.tar.xz
This is a development prerelease for the adventurous, part of the 1.15.x
branch, which will (hopefully soon) lead to a 1.16.0 stable release. Don't
include this version in stable OS distributions.
This release fixes the same security vulnerability as the 1.14.10
stable release.
Dependencies:
* In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
executable, version 0.10.0 is required.
This version adds a new feature which is required by the security fix
in this release.
Security fixes:
* Don't follow symbolic links when mounting persistent directories
(--persist option). This prevents a sandbox escape where a malicious or
compromised app could edit the symlink to point to a directory that
the app should not have been allowed to read or write.
(CVE-2024-42472, GHSA-7hgv-f2j8-xw87)
Documentation:
* Mark the 1.12.x and 1.10.x branches as end-of-life (#5352)
Other bug fixes:
* Fix several memory leaks (#5883, #5884)
Internal changes:
* Record a log file when running build-time tests with
AddressSanitizer (#5884)
* Add initial suppressions file for AddressSanitizer (#5884)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers
More information about the Flatpak
mailing list