Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted flatpak 1.16.4-1 (source) into unstable
Date: Tue, 07 Apr 2026 22:09:49 +0000
Signed by: Simon McVittie <smcv@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Apr 2026 22:14:56 +0100
Source: flatpak
Architecture: source
Version: 1.16.4-1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Changes:
 flatpak (1.16.4-1) unstable; urgency=high
 .
   * New upstream security release
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg)
Checksums-Sha1:
 393f1cb497e09faa519445e591440ce27eda8cf4 3827 flatpak_1.16.4-1.dsc
 667b35d8de99a867266b3e2fceb21427f9d3f1e2 1239368 flatpak_1.16.4.orig.tar.xz
 503d437e4effae1727c4af5f740bf44ac858967f 42016 flatpak_1.16.4-1.debian.tar.xz
 139521dc01d8730582a8ff91a5ba6df085675471 14351 flatpak_1.16.4-1_source.buildinfo
Checksums-Sha256:
 0f6d1aff0b3c5ca7b2887782fef8729ace8aafd80c0c6310c2ca6dd8ac96b8b2 3827 flatpak_1.16.4-1.dsc
 761ff3ba00c99a26f914c6999e90b12a54cab19cea5888413f17e46ee618d8fe 1239368 flatpak_1.16.4.orig.tar.xz
 303bf092e69f623e2728f6ef1a4f9115532d11d52702cf33c577fea3883c7611 42016 flatpak_1.16.4-1.debian.tar.xz
 651a527f6f613d715671d4118f0e54c3887a67d8c5f8459a4131afa4c7f769c3 14351 flatpak_1.16.4-1_source.buildinfo
Files:
 17da3e00e58969972f17052975e04daf 3827 admin optional flatpak_1.16.4-1.dsc
 792dd5cf90318df981603d4306d7386f 1239368 admin optional flatpak_1.16.4.orig.tar.xz
 c892233f95b35fa35e4d263ac5c77090 42016 admin optional flatpak_1.16.4-1.debian.tar.xz
 80ab38499c3ebce5a7095caa100fffbf 14351 admin optional flatpak_1.16.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnVe6oACgkQI1wJnT6z
MHaEbxAAgEy2WuKcF50IP6vZq6IONAncAo6ZEp1XYGC/giFbjj8Ht+hoIUssAu0e
PaSMuSmqtaRA0QBrB4ATuvJsluiQrLHw0sNbh2tyoy5TTk5aVatfF3+IumQWt5I+
dwSRtuaoRwmg6JVtaUXuLLd+NxHw0yS511W/84i1gXVe/yOJFliNlXkpwEeBH1om
CpbINaZ90Coet1Qlv+A+bj0uZry+Y8i4fCF1FiIW4uexFGCktphQrtbZItgTA/zI
WKSrcbEspRZ9U9XIo6hSMu97A1Cxh3lBzdGPzFKzPTY0QlRj4tKnwS+VrRl9kVgg
dQLS+Sh2YC1yj7m/GHYwsu7cW7erkSJvPamgq71QjKWV1BB0tyyRfjwpJaWxnSts
SzzrppwTrzviS/wxSh63ggg7Nj/yMO9LMvGTZb9powoQl6l3NcOhuQhoreJSpZxU
52TT0s7M/zdcIWDJdTSULmb9H0t0JOFAXHrdQNmL7Q5x5hOnlQDJWoRnbfGesk1x
9adqy8gichO6Kq1ABQcaib1e2D60ldA5wy2CxAdeA0waawcuNmnNHc08Ai5DrFI6
IjWWBXt57JKqbuu1/nkjeXGL6pwRPsHpDK1ta/mEhXt2PKaTEy3uMS7FmoHjniOT
AYqYXaIpNgyygB3sgszykjcTrKDgwX/w5ia3d1i+ENpWKi1k1es=
=2+NX
-----END PGP SIGNATURE-----
News for package flatpak
