-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 27 Feb 2017 11:05:06 +0000 Source: bubblewrap Binary: bubblewrap Architecture: source amd64 Version: 0.1.7-1~bpo8+1 Distribution: jessie-backports Urgency: medium Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org> Changed-By: Simon McVittie <smcv@debian.org> Description: bubblewrap - setuid wrapper for unprivileged chroot and namespace manipulation Changes: bubblewrap (0.1.7-1~bpo8+1) jessie-backports; urgency=medium . * Rebuild for jessie-backports - debian/gbp.conf: adjust for this branch . bubblewrap (0.1.7-1) unstable; urgency=medium . * New upstream release - effectively the same as 0.1.6-2 - drop all patches . bubblewrap (0.1.6-2) unstable; urgency=medium . * d/p/Make-the-call-to-setsid-optional-with-new-session.patch: Add patch from upstream to make the setsid() that addresses CVE-2017-5226 optional, because it breaks interactive shells. Users of bubblewrap to confine untrusted programs should either add --new-session to the bwrap command line, or prevent the TIOCSTI ioctl with a seccomp filter instead (as Flatpak does). - d/control: add Breaks on versions of Flatpak that did not load the necessary seccomp filter to prevent CVE-2017-5226 * d/p/demos-bubblewrap-shell.sh-Unshare-all-namespaces.patch: Add patch from upstream to improve example code * d/p/Call-setsid-and-setexeccon-befor-forking-the-init-monitor.patch, d/p/Install-seccomp-filter-at-the-very-end.patch: Add patches from upstream to re-order initialization. This means the seccomp filter is no longer required to account for syscalls that are made by bwrap itself. * d/p/Add-unshare-all-and-share-net.patch: Add patch from upstream introducing new command line options --unshare-all and --share-net, for a more whitelist-based approach to sharing namespaces with the parent. . bubblewrap (0.1.6-1) unstable; urgency=medium . * New upstream release - drop the only patch, applied upstream * debian/patches: update to upstream master for additional fixes to SIGCHLD handling and documentation, and improved hardening against being able to obtain capabilities * debian/bubblewrap.examples: install upstream examples Checksums-Sha1: 5b4285caa051e996f9be959eb5dfeea6e5ca4abe 2170 bubblewrap_0.1.7-1~bpo8+1.dsc c093b95ef2cb9f4676a1e1f83cd3eb1a5e8f6af4 5724 bubblewrap_0.1.7-1~bpo8+1.debian.tar.xz 86501e7f131918df6334cb63cb43366627545925 30804 bubblewrap_0.1.7-1~bpo8+1_amd64.deb Checksums-Sha256: cd8357e15cfc32cbc1ac33423f1c1e7696a15ea798d155bfd1a1499fb0661901 2170 bubblewrap_0.1.7-1~bpo8+1.dsc 46ec803ca2d997192f3decbce34ec09cf66912d0d0b2113657ca5e40b59ebadf 5724 bubblewrap_0.1.7-1~bpo8+1.debian.tar.xz 5b99dfb44dac6bfa2b031ab0dcc2ff88f31f1b746bacbd7fd4ea7d75c4156313 30804 bubblewrap_0.1.7-1~bpo8+1_amd64.deb Files: 6a8425dc585cba9df1fa0816e3682d67 2170 admin optional bubblewrap_0.1.7-1~bpo8+1.dsc 2801ab4d8296e69ca0f0f40754d51240 5724 admin optional bubblewrap_0.1.7-1~bpo8+1.debian.tar.xz 6f96cd92599f5ebb68fd8861dd569fb1 30804 admin optional bubblewrap_0.1.7-1~bpo8+1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAli0IMUACgkQTej/KmPH zJD7Dw//b/VmetG9B69KNo8IDj813HG98LrDd4j/ur1M12hXMinjrVUMpzdBUpxg J8EwVD5J7rftYR6Iys53hWTaZZDRFu+qiQqu/vpJZWS8Xd7avBk8Uv/usPp89zzT RpN70+/ZM/8MYC80/QwlxQ33wk/9M+d7Z75XyvNgiFDff9RoU5oyQnedJX088BfZ k9/KEYwR8UxXcHWOmc9vNFaHK1JtGM5QKVo+xdUV/FrSPFCMed8D5JiAv5oesAiB ZDgmyZXJr7AH+ccSKFPNSgGNuX3cE//8f/VEemoDVYrsSqnP4gpo5vIt29FpmeWV uyJsd5m7bZ2P8oB0oymrZjR96Na1sK7MdeWaN81doaYm2xvXG0vYl227QBa/EWCO F+Hcw9Lxr/YYwbuG+WD8+CGrNmjcwjqzDQSLhbY2fVXqQtg9KXvTVpqWMOjsGLkL Bu+fVJXVR/cvGpCdeXErU7HfAEm3Gv3MmMnOWk89nIBaLxFbDZWcr+f/QCURxjy1 C3r30lOaT2Qf3siku/6mVOTv0Jl1cVuk5XVhNf+P2+Rt0KF816smUFhHjsVHLsX8 L6etjSEMn2RYvu7EC7m9wmUOTULW9B0Hti2lMuyBv/QFZeRSjWoVxs/7DOmjZ77H m2bj9AOmTzK5gm6L0rAEQ933vtzrlhgYXTlf5CQhtoCPSELSqGA= =x7L0 -----END PGP SIGNATURE-----