Skip to content

Releases: flatpak/flatpak

1.14.4

16 Mar 14:42
@smcv smcv
1.14.4
8a1edce
Compare
Choose a tag to compare
1.14.4

Security fixes:

  • Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101).

  • If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole.

Other bug fixes:

  • Translation update: pl

sha256:

8a34dbd0b67c434e7598b98ec690953d046f0db26e480aeafb46d72aec716799 *flatpak-1.14.4.tar.xz
Assets 3

1.12.8

16 Mar 14:43
@smcv smcv
1.12.8
c87d8b2
Compare
Choose a tag to compare
1.12.8

Security fixes backported from 1.14.4:

  • Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101).

  • If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole.

Other bug fixes backported from 1.14.x:

  • Update the SELinux module to explicitly permit the system helper have read access to /etc/passwd and systemd-userdbd, read and lock access to /var/lib/flatpak, and watch files inside $libexecdir (#4852, #4855, #4892; Red Hat #2071217, #2071215, #2070741, #2053634, #2070350)
  • If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146)
  • Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173)
  • Remove some unreachable code (Coverity: CID 1514265)
  • Add missing handling for some D-Bus errors

sha256:

e6db731e7a746372e8f8461e6225c0c9b26623c08a3a9914dbfd8e7c91944931 *flatpak-1.12.8.tar.xz
Assets 3

1.10.8

16 Mar 14:45
@smcv smcv
1.10.8
d771946
Compare
Choose a tag to compare
1.10.8

Security fixes backported from 1.14.4:

  • Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101).

  • If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole.

Other bug fixes backported from 1.12.x and 1.14.x:

  • If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146)
  • Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173)
  • Fix regressions in flatpak history since 1.9.1
    • Don't display the appstream branch used internally
    • Don't display temporary repositories used internally
    • Ignore transaction log entries with empty REF field
    • Warn instead of failing if other non-app, non-runtime refs are found
    • Don't set up an unnecessary polkit agent for flatpak history
    • Add test coverage
  • Fix a typo in an error message
  • Fix incorrect year in NEWS for 1.10.7 release
  • Translation update: pl
  • Add test coverage for Flatpak's seccomp filters

sha256:

65569dbf31344581a1e7782d09e702bb41e7011ae21cd021c414a2925f84b82c *flatpak-1.10.8.tar.xz
Assets 3

1.14.3

27 Feb 13:49
@smcv smcv
1.14.3
ccafd8c
Compare
Choose a tag to compare
1.14.3

Bug fixes:

  • When splitting an upgrade into two steps (download without installing, and then upgrade without allowing further downloads) like GNOME Software does, if an app is marked EOL and superseded by a replacement, don't remove the superseded app in the first step, which would result in the replacement incorrectly not being installed (#5172)
  • Fix a crash when --socket=gpg-agent is used (#5095)
  • Fix a crash when listing apps if one of them is broken or misconfigured (#5293)
  • If an app has invalid syntax in its overrides or metadata, mention the filename in the error message (#5293)
  • Unset $GDK_BACKEND for apps, ensuring GTK apps with --socket=fallback-x11 can work (#5303)
  • Never try to export a parent of reserved directories as a --filesystem, for example /run, which would prevent the app from starting (#5205, #5207)
  • Never try to export a --filesystem below /run/flatpak or /run/host, which could similarly prevent the app from starting
  • The above change also fixes apps not starting if a --filesystem is a symlink to the root directory (#1357)
  • Show a warning when the --filesystem exists but cannot be shared with the sandbox (#1357, #5035, #5205, #5207)
$ sha256sum -b flatpak-1.14.3.tar.xz  
59f0470ccb894d852e4c6fbc1043d8bcc95e38033c5c36f2aa90dd295257eebe *flatpak-1.14.3.tar.xz
Assets 3

1.15.3

21 Feb 12:09
@smcv smcv
1.15.3
756994b
Compare
Choose a tag to compare
1.15.3 Pre-release
Pre-release

Released: 2023-02-21

Build system:

  • Building this version of Flatpak with Meson is recommended. The source release flatpak-1.15.3.tar.xz no longer contains Autotools-generated files, although this version can still be built using Autotools after running ./autogen.sh. Future versions are likely to remove the Autotools build system.

Bug fixes:

  • When splitting an upgrade into two steps (download without installing, and then upgrade without allowing further downloads) like GNOME Software does, if an app is marked EOL and superseded by a replacement, don't remove the superseded app in the first step, which would result in the replacement incorrectly not being installed (#5172)
  • Fix a crash when --socket=gpg-agent is used (#5095)
  • Fix a crash when listing apps if one of them is broken or misconfigured (#5293)
  • If an app has invalid syntax in its overrides or metadata, mention the filename in the error message (#5293)
  • Unset $GDK_BACKEND for apps, ensuring GTK apps with --socket=fallback-x11 can work (#5303)
  • Fix a deprecation warning when compiled with curl >= 7.85 (#5284)
  • Translation updates: es, ru (#5266, #5312, #5313)

Internal changes:

  • Better diagnostic messages for why runtimes are or are not considered unused (#5237)
e0904755ad6dc57d9fd2be9d6035ab117d3c5ca240513979b4efaaa2c4aa3735 *flatpak-1.15.3.tar.xz
Assets 3

1.15.2

06 Feb 14:40
@smcv smcv
1.15.2
a98bbbe
Compare
Choose a tag to compare
1.15.2 Pre-release
Pre-release

Released: 2023-02-06

Bug fixes:

  • Never try to export a parent of reserved directories as a --filesystem,
    for example /run, which would prevent the app from starting (#5205, #5207)
  • Never try to export a --filesystem below /run/flatpak or /run/host,
    which could similarly prevent the app from starting
  • The above change also fixes apps not starting if a --filesystem is a
    symlink to the root directory (#1357)
  • Show a warning when the --filesystem exists but cannot be shared with
    the sandbox (#1357, #5035, #5205, #5207)
  • Display the intended messages for flatpak repair (#5204)
  • Exporting an app to an existing repository on a CIFS filesystem
    now works as intended (#5257)
  • Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib
    apps when set to a path on the host (#5206)
  • Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps
    under Wayland when this variable is set to a path not available in the
    sandbox (#5194)
  • When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the
    profile script is sourced more than once (#5198)
  • Update included copy of bubblewrap to 0.7.0 for better error messages
  • Install SELinux files correctly when building with Meson
  • Translation updates: ru, tr (#5256, #5262)

Internal changes:

  • Update included copy of libglnx
  • flatpak -v now uses the INFO log level, and flatpak -vv uses the
    DEBUG log level in the flatpak log domain. Previously, the extra
    messages that were logged by flatpak -vv were in a separate "flatpak2"
    log domain. G_MESSAGES_DEBUG=flatpak previously had an effect similar to
    flatpak -v, and is now more similar to flatpak -vv. (#5001)
$ sha256sum -b flatpak-1.15.2.tar.xz 
292e383d8d1bc1d1fdfd031f3802b0550d90bc4fd300b3e4fd9c2cb0750a8d63 *flatpak-1.15.2.tar.xz
Assets 3

1.14.2

06 Feb 17:52
@smcv smcv
1.14.2
a56f265
Compare
Choose a tag to compare
1.14.2

Bug fixes:

  • Display the intended messages for flatpak repair (#5204)
  • Exporting an app to an existing repository on a CIFS filesystem
    now works as intended (#5257)
  • Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib
    apps when set to a path on the host (#5206)
  • Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps
    under Wayland when this variable is set to a path not available in the
    sandbox (#5194)
  • Unset $KRB5CCNAME for apps
  • When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the
    profile script is sourced more than once (#5198)

Internal changes:

  • The INFO log level is now treated the same as the DEBUG log level
    by flatpak -v, to make backports from 1.15.x simpler
$ sha256sum -b flatpak-1.14.2.tar.xz
c80711eacf42a99078f6396aa65555dd6bf73eec631776b79e9d7b7262b6f774 *flatpak-1.14.2.tar.xz
Assets 3

1.14.1

18 Nov 14:38
@smcv smcv
1.14.1
f9a7687
Compare
Choose a tag to compare
1.14.1

New features:

  • Add a httpbackend variable to flatpak.pc, allowing dependent projects like GNOME Software to detect whether they are compatible with libflatpak (#5054)

Bug fixes:

  • Terminate the flatpak-session-helper and flatpak-portal services when the session ends, so that applications will not inherit outdated Wayland and X11 socket addresses (#5068)
  • When using fish shell, don't overwrite a previously-set XDG_DATA_DIRS (#5123)
  • Don't try to enable HTTP 2 if linked to a libcurl version that doesn't support it (#5074)
  • Stop systemd reporting the session-helper as failed when terminated by a signal (#5129)
  • Fix a warning when listing a document with no permissions (#5055)
  • Fix compilation with GLib 2.66.x (as used in Debian 11) (#5062)
  • Fix compilation with GLib 2.58.x (as used in Debian 10) (#5066)
  • Fix a compiler warning on 32-bit architectures (#5148)
  • If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146)
  • Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173)
  • When building with Autotools, be more consistent about applying compiler warning flags (#5149)
  • Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR (#5168)
  • Treat /efi the same as /boot/efi (#5155)
  • Make generated files more reproducible (#5085)
  • Translation updates: cs, id, pl, pt_BR (#5052, #5056, #5059, #5126)

Internal changes:

  • Update project logo in README (#5119)
$ sha256sum -b flatpak-1.14.1.tar.xz 
0a3c823343018cc58986b6c82545609c8cdbf0fba5f01d88307bd14acb5dd39f *flatpak-1.14.1.tar.xz
Assets 3

1.15.1

17 Nov 19:50
@smcv smcv
1.15.1
47ea393
Compare
Choose a tag to compare
1.15.1 Pre-release
Pre-release

Dependencies:

  • When building with Meson, gpgme 1.8.0 is now required. Older versions can still be used by building with Autotools.

Features:

  • If an old temporary deploy directory was leaked by versions before #5146, clean it up the next time the same app is updated (#5164)

Bug fixes:

  • If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146)
  • Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173)
  • Fix a possible parallel build failure with Meson (#5165)
  • Fix a compiler warning on 32-bit architectures (#5148)
  • When building with Autotools, be more consistent about applying compiler warning flags (#5149)
  • Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR (#5168)
  • Treat /efi the same as /boot/efi (#5155)
$ sha256sum -b flatpak-1.15.1.tar.xz
13d34462ed130c0fe4928904cfcbcb7322c46c2c22ad70f657d35577c40d951e *flatpak-1.15.1.tar.xz
Assets 3

1.15.0

24 Oct 19:09
@smcv smcv
1.15.0
e084a4f
Compare
Choose a tag to compare
1.15.0 Pre-release
Pre-release

Released: 2022-10-24

Build system:

  • Flatpak can now be compiled using Meson instead of Autotools.
    This requires Meson 0.53.0 or later, and Python 3.5 or later.
    The Autotools build system is likely to be removed during either the
    1.15.x or 1.17.x cycle. (#4845)

New features:

  • Allow the modify_ldt system call as part of --allow=multiarch.
    This increases attack surface, but is required when running 16-bit
    executables in some versions of Wine. (#4297)
  • Share gssproxy socket, which acts like a portal for Kerberos authentication.
    This lets apps use Kerberos authentication without needing a sandbox hole.
    (#4914)
  • Add a httpbackend variable to flatpak.pc, allowing dependent projects
    like GNOME Software to detect whether they are compatible with libflatpak
    (#5054)

Bug fixes:

  • Terminate the flatpak-session-helper and flatpak-portal services when the
    session ends, so that applications will not inherit outdated Wayland
    and X11 socket addresses (#5068)
  • When using fish shell, don't overwrite a previously-set XDG_DATA_DIRS
    (#5123)
  • Don't try to enable HTTP 2 if linked to a libcurl version that doesn't
    support it (#5074)
  • Stop systemd reporting the session-helper as failed when terminated by
    a signal (#5129)
  • Fix a warning when listing a document with no permissions (#5055)
  • Fix compilation with GLib 2.66.x (as used in Debian 11) (#5062)
  • Fix compilation with GLib 2.58.x (as used in Debian 10) (#5066)
  • Make generated files more reproducible (#5085)
  • Translation updates: cs, id, pl, pt_BR (#5052, #5056, #5059, #5126)

Internal changes:

  • Update project logo in README (#5119)
  • Update libglnx subproject (#5140)
$ sha256sum -b flatpak-1.15.0.tar.xz 
1b953f5f2684136de4e7930d77c240f04dedd4a114e57bac0a46f5681a0a3fa8 *flatpak-1.15.0.tar.xz
Assets 3