Release 1.8.6
This is an "old-stable" update for users of the Flatpak 1.8.x branch, such as Red Hat Enterprise Linux 8. In environments that do not need to stay on a specific branch, updating to the newest stable version instead of using this version is recommended. At the time of writing, the newest stable version is 1.12.4.
This security update fixes a potential attack where a flatpak application
could use custom formated .desktop files to gain access to files on the
host system. (CVE-2021-21261)
For details, see:
GHSA-4ppf-fxf6-vxg2
This security update also fixes a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp rules
which allowed the application to create sub-sandboxes which can confuse
the sandboxing verification mechanisms of the portal. This has been
fixed by extending the seccomp rules. (CVE-2021-41133)
For details, see:
GHSA-67h7-w3jq-vh4q
Other changes:
- Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing
a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0 - Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., resolving a
regression introduced in 1.8.5 - Fix deploys of local remotes in system-helper, possibly involving newer
GLib versions - Memory leak fixes backported from 1.10.2 and 1.11.2
- File descriptor leak fixes backported from 1.10.2, 1.10.3 and 1.11.2
- Add --enable-asan configure option backported from 1.10.1
- The .profile snippets now disable GVfs when calling flatpak to
avoid spawning a gvfs daemon when logging in via ssh - Fix test failures on non-x86_64 systems
- Update Polish translation
$ sha256sum flatpak-1.8.6.tar.xz
70dc6bb6231c494885dd82f6607a3033b7636c0ad0c399e59f7c760fbffb4de7 flatpak-1.8.6.tar.xz