Announcing Flatpak 1.12.9, 1.10.9 (backported security fix releases)
Simon McVittie
smcv at collabora.com
Thu Apr 18 16:55:38 UTC 2024
Available here:
https://github.com/flatpak/flatpak/releases/tag/1.12.9
https://github.com/flatpak/flatpak/releases/tag/1.10.9
These are "old-stable" releases for long-term-support distributions,
backporting the security fix from 1.14.6. If possible, please use the
latest stable branch (1.14.x) instead.
$ sha256sum -b flatpak-1.12.9.tar.xz
b69ba4c66c6423a3f9ec17ede157ce11d421a72d642f65788ad7e86811146974 *flatpak-1.12.9.tar.xz
$ sha256sum -b flatpak-1.10.9.tar.xz
241c22a91a5dfcf4f0575cde47868b57ac4c5c93951ae33b25293aa0d61bf092 *flatpak-1.10.9.tar.xz
Security fixes:
* Don't allow an executable name to be misinterpreted as a command-line
option for bwrap(1). This prevents a sandbox escape where a malicious
or compromised app could ask xdg-desktop-portal to generate a .desktop
file with access to files outside the sandbox. (CVE-2024-32462)
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/ftp-release/attachments/20240418/468130a2/attachment.sig>
More information about the Ftp-release
mailing list