-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 13 Apr 2026 10:29:00 +0100 Source: flatpak Architecture: source Version: 1.16.6-1~deb13u1~bpo12+1 Distribution: bookworm-backports Urgency: high Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Closes: 1132943 1132944 1132945 1132946 Changes: flatpak (1.16.6-1~deb13u1~bpo12+1) bookworm-backports; urgency=high . * Merge trixie security update 1.16.6-1~deb13u1 - Fix a sandbox escape involving symlinks passed to flatpak-portal. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943) - Prevent arbitrary file deletion outside the sandbox by a malicious or compromised Flatpak app (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944) - Prevent a local user from reading any file that is readable by the _flatpak system user. A mitigation is that it would be very unusual for these files not to be readable by the original local user as well. (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946) - Prevent a local user from making another local user unable to cancel an ongoing download of apps or runtimes installed system-wide via the system helper. (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945) - Various fixes for regressions caused when fixing CVE-2026-34078 * Remaining changes for bookworm-backports: - d/control, d/gbp.conf: Branch for Debian 12 'bookworm' backports - d/control, d/p/debian/build-Relax-bubblewrap-dependency.patch: Relax bubblewrap dependency to the version from bookworm-security - Revert "d/control: Build-depend on required GIR XML files" - Revert "Install systemd system unit into /usr/lib/systemd/system" Checksums-Sha1: e58c5ad2fa27804b75223bceb0942cc00495e42f 3854 flatpak_1.16.6-1~deb13u1~bpo12+1.dsc 253c867f54bd88f9cf2204db3fb146b9c0130e7b 43132 flatpak_1.16.6-1~deb13u1~bpo12+1.debian.tar.xz ad7237c107f5bdd2b8245bf9acbdddba7738862f 13169 flatpak_1.16.6-1~deb13u1~bpo12+1_source.buildinfo Checksums-Sha256: 36a5171e8549c374b06bedb52893d5265dc24c720bdd6b50027748f8271be5b3 3854 flatpak_1.16.6-1~deb13u1~bpo12+1.dsc 3129b8f0ae0ed85bd002515113dc47162be21a756d5e05777363174cf0d5986a 43132 flatpak_1.16.6-1~deb13u1~bpo12+1.debian.tar.xz 3f524a27c73ea5ac9b4b56db47895c08a989efe18511eb88863e9c881260a443 13169 flatpak_1.16.6-1~deb13u1~bpo12+1_source.buildinfo Files: c74ebea7f484146415b3563897098a81 3854 admin optional flatpak_1.16.6-1~deb13u1~bpo12+1.dsc fbf4a6da9241c49d660016961fef00e4 43132 admin optional flatpak_1.16.6-1~deb13u1~bpo12+1.debian.tar.xz 3cccfc2b01de99e99aee3232aeb2b787 13169 admin optional flatpak_1.16.6-1~deb13u1~bpo12+1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmndNlYACgkQI1wJnT6z MHbY9BAAnNVtSZqgXbGROOktt/bckoCAwyiNnoEC92fAI8X9uON//eD2+iujmb3C FySTgDSRISO2+v1UWIxxCSNxg2MzKFCcfqRuuim4Jpb/+oEf+1VG2A9AUgnfk3rW vfavv1jkCXjUnbKFedrKNkhXU+rejV5qx+iRRQFEXjc817px+4Cjwd3P8mPexBF2 TbDxwfFaR9HVMeltz4eR6sd82Mg7gJgkuEqLEtDiet2vJq6WQspwcPYyGd78uH4D LL4p8GCU6jfBSK8e5Wearec9Hi4ULt/gjHEL1qUBJhNTZzvPp9oHxvcr5dIiuLx8 HRLLvci0OR8g1qJgxcvRgI6Orync0SMaPlTfcDAJpuMx2Zft0msyrkRSz+ZEjj6S k5fTkYgUTT/2Eh2P2uPiiW/gnNIgV99rcmjLVQypXjgsuPyh07QHxmnaRyMXdOC1 QO/Mt5hHr7FX9orJAYtrPQclUbQGljVMy0Aal3j3g67vmaXVBmnbZUCAkjs6cCeW EXvu/JdSzpgUwvB881AL89V6I3sOQ8omehX+lSxs6CJwvrXjplhSxOYmb5iTobyk 02uHQ2pQBLzsEMZSUZzYcXzcfvPm7Py7FOHT6seMLqvU/dL/c/JA7KyK0aTDs7iv arX19AHV6OyckDwsjcGjQ+j+i9ukapXDesAHKFty6/7CxblGVK0= =EeC/ -----END PGP SIGNATURE-----
