Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-backports-changes@lists.debian.org>
Subject: Accepted flatpak 1.10.5-0+deb11u1~bpo10+1 (source) into buster-backports->backports-policy, buster-backports
Date: Wed, 20 Oct 2021 07:17:42 +0000
Signed by: Simon McVittie <smcv@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 12 Oct 2021 23:07:15 +0100
Source: flatpak
Architecture: source
Version: 1.10.5-0+deb11u1~bpo10+1
Distribution: buster-backports
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 995935
Changes:
 flatpak (1.10.5-0+deb11u1~bpo10+1) buster-backports; urgency=medium
 .
   * Rebuild for buster-backports.
     - Revert "debian/control: Add libmalcontent-0-dev to the
       build-dependencies". It wasn't available in buster.
     - Revert "Add Suggests on malcontent-gui".
     - Downgrade dbus from Depends to Recommends.
       It only needed to be a Depends for the libmalcontent integration,
       but it is necessary for system-wide installations (without --user),
       so a Recommends still seems appropriate.
   * Note that this backport requires libseccomp2 (>= 2.5.0) from
     buster-backports. This is necessary in order to prevent clone3()
     when using backported bullseye kernels.
 .
 flatpak (1.10.5-0+deb11u1) bullseye-security; urgency=medium
 .
   * New upstream stable release 1.10.4
     - Don't allow VFS manipulation which could be used to trick portals
       into allowing unintended access to host
       (Closes: #995935, CVE-2021-41133, GHSA-67h7-w3jq-vh4q)
     - Fix parental controls check when installing system-wide as non-root
     - OCI now uses the pax tar format, which handles large files better
       than GNU tar
     - tests: Fix test-sideload.sh if ostree is built with curl backend
       (this change is unnecessary but harmless in the configuration used
       in Debian)
   * New upstream stable release 1.10.5
     - Fix regressions in 1.12.0 with extra data or --allow=multiarch.
       This only partially prevents use of VFS-manipulating syscalls if a
       newer kernel is used with an older libseccomp, but that's the best
       we will be able to achieve without new features in libseccomp and/or
       bubblewrap.
   * d/control: Build-depend on libseccomp 2.5.0.
     This ensures that we can block creation of new user namespaces via
     clone3(), which should be enough to prevent CVE-2021-41133 on
     at least Debian 11 kernels (Linux 5.10). It also allows blocking most
     of the syscalls we want to block; we cannot guarantee to be able to
     block mount_setattr(), which was only added in libseccomp 2.5.2, but
     that syscall was new in Linux 5.12.
   * d/p/Fix-handling-of-syscalls-only-allowed-by-devel.patch:
     Fix error handling for syscalls that are only allowed with --devel
Checksums-Sha1:
 84facde190fefad728618586f29614214c1849f0 3701 flatpak_1.10.5-0+deb11u1~bpo10+1.dsc
 217cfe7bcb9247b881ebe03de1bfb107f06d5091 32620 flatpak_1.10.5-0+deb11u1~bpo10+1.debian.tar.xz
 808c0df36dbb6c203c57c06d572bb0e0f5cfd4e1 13159 flatpak_1.10.5-0+deb11u1~bpo10+1_source.buildinfo
Checksums-Sha256:
 55b6882cceeba113180b130eac8aaa4f235b6c5878798eb8c4dc122fa14bb1a1 3701 flatpak_1.10.5-0+deb11u1~bpo10+1.dsc
 2be85e824d101ace14e81b3b764f250372289e61814bca461a7978f4fcc18d3d 32620 flatpak_1.10.5-0+deb11u1~bpo10+1.debian.tar.xz
 d3a1f17532ce2fa83056eb8e6f815f6a2435925e053c5a398eed2b9bf70cc080 13159 flatpak_1.10.5-0+deb11u1~bpo10+1_source.buildinfo
Files:
 809453d3515ba5b7969f1c5e8018d4b0 3701 admin optional flatpak_1.10.5-0+deb11u1~bpo10+1.dsc
 74dae01e7f74a23adaca607e722cc4b7 32620 admin optional flatpak_1.10.5-0+deb11u1~bpo10+1.debian.tar.xz
 4b907b2baa7b3a1eb962a9a074c36936 13159 admin optional flatpak_1.10.5-0+deb11u1~bpo10+1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmFpuVcACgkQ4FrhR4+B
TE9JjA/+JwnZOZ4W136YCqWrSzxqhJEd7/B1Upvi/PZ1vqNiavzNyN6O7ap00iBb
XhM/j6qIRIrt0KSgI8QqT7c9sanCYtl5YwuVWSOG76RN3RDAX6k1SL7gx5FgaFb8
SKhe5baBpJ0SvuoDA/xbNA27Inp7AslQN9lIm2FHGw66XZGWxO6AlZviG87Gi9EL
a7szAzEzhoHgHhigXQvKYIC0GgspktDOgp/IseBVDPtZNky0oU1aNMlBSzwli/z6
sZDy90uu0ZkBwu+sbuF/D4CdC2ZxWrgcy8Qhb2PWhsS5nHe8uJpvRIDJ/HLaqM5J
yv6CK5sYL/yExj1PKJ6+dAMVTNayEzllIqCMOiy75/5zfPPFqPQR+vkdUdn39yEQ
fnUi/RspTW2pe+in6tvIW3KNISpf6HUbV2NIX0QxlVKSw8LD1JbFef/WkYpm8kC3
yrbcs9aEHqzsGKaD+wqzaSvO0YrFT4/zeX4Tbw1f1v4608zPF+iQP0vm5Kpt16O2
/wa+lOiC1uwiU0d1d+ND35HVHNTWZX8exE4vDuxkaGNrEe6RBFV4Mo5cKi1cIYoM
3JSmTVI2F+pks5imvTazUZjxQ34nu8TGZ42HdOz7+Oj0KTmcP3dto5S1f8BCWWM+
8IVWcN/KpEgmTdayR37b4NSwSJ3EFlipU6pAxEbK6jJKsP3t9PA=
=toS2
-----END PGP SIGNATURE-----
News for package flatpak
