Announcing Flatpak 1.14.10 (security fix release)
Simon McVittie
smcv at collabora.com
Wed Aug 14 16:43:44 UTC 2024
Available here: https://github.com/flatpak/flatpak/releases/tag/1.14.10
This is a maintenance release fixing a security issue,
https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87
$ sha256sum -b flatpak-1.14.10.tar.xz
6bbdc7908127350ad85a4a47d70292ca2f4c46e977b32b1fd231c2a719d821cd *flatpak-1.14.10.tar.xz
Dependencies:
* In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
executable, either version 0.10.0, version 0.6.x ≥ 0.6.3, or a version
with a backport of the --bind-fd option is required.
These versions add a new feature which is required by the security fix
in this release.
Security fixes:
* Don't follow symbolic links when mounting persistent directories
(--persist option). This prevents a sandbox escape where a malicious or
compromised app could edit the symlink to point to a directory that
the app should not have been allowed to read or write.
(CVE-2024-42472, GHSA-7hgv-f2j8-xw87)
Documentation:
* Mark the 1.12.x and 1.10.x branches as end-of-life (#5352)
Version 1.14.9 was not released due to an incompatibility with older
versions of GLib. Version 1.14.10 replaces it.
--
Simon McVittie, Collabora Ltd. / Debian
on behalf of the Flatpak maintainers
More information about the Ftp-release
mailing list