Released: 2022-08-22

Known issues:

• There may be an issue where non-primary architecture builds don't show up
  (#5045)
• There is a new security advisory on Flatpak but all supported versions are
  not affected due to using new enough versions of libostree
  (GHSA-45jq-5658-v38x)

Dependencies:

• Conditional on a build time option, revokefs will now use version 3 of the
  FUSE API rather than version 2 (#4326)
• Libappstream should be updated to at least 0.15.3 to avoid critical warning
  messages when using the "flatpak search" command
  (ximion/appstream#384)

New features:

• A new key "DeploySideloadCollectionID" is now supported in flatpakref and
  flatpakrepo files, to allow setting a collection ID at the time a remote is
  added from one of those files, rather than when metadata is pulled from the
  remote, and without affecting versions of Flatpak with the older pre-sideload
  P2P implementation (#4826)
• Allow sub-sandboxes to own MPRIS names on the session bus (#5023)
• Commands that accept "--user" will now also take "-u" as an alias for that
  (#5014)
• The CLI now properly informs the user of which apps are (indirectly) using
  end-of-life runtime extensions in end-of-life info messages (#4835)
• The CLI now takes into account operations in the pending transaction when
  printing end-of-life messages (#4835)
• The uninstall command now asks for confirmation before removing in-use
  runtimes or runtime extensions (#4835)
• A "--socket=gpg-agent" option is now recognized by "flatpak run" and related
  commands (#4958)

Bug fixes:

• Fix a memory corruption issue caused by use of libcurl in an unsafe way
  (#5046)
• Update selinux policy to cover symbolic links in /var/lib/flatpak (#4992)
• Fix a crash in case a .desktop file processed by the build-export command has
  no Exec= key, and some related fixes for handling such .desktop files (#4817)
• Preserve the X11 display number rather than redirecting it to :99 (#5034)

Other changes:

• Various improvements to the unit tests, CI infra, and documentation
• Some changes were made to ensure translators can work on full sentences
  rather than fragments in several places
• Translation updates: de, ru, sv, tr, uk, zh_CN

$ sha256sum -b flatpak-1.14.0.tar.xz 
8e276973770ea24ddf2597ad4aecd36b98393e6bde91e48e1743aaca67f27815 *flatpak-1.14.0.tar.xz

Released: 2022-06-16

Dependencies:

• Support curl 7.29 or later as an additional, and the default, HTTP backend
  alongwith libsoup 2.x (#4943)
• Clarify that glib 2.46 or later is now required (#4944)

New features:

• Implement support for rewriting dynamic launchers when an app is renamed
  (#4703)
• Add --include-sdk/debug options to install command to install SDK/debuginfo
  along with a ref (#4777)
• Improve --sideload-repo option to take create-usb dirs (#4843)
• Add a new library API flatpak_transaction_get_operation_for_ref() (#4947)

Bug fixes:

• Update the SELinux module to explicitly permit the system helper have read
  access to /etc/passwd and systemd-userdbd, read and lock access to
  /var/lib/flatpak, and watch files inside $libexecdir (#4852, #4855, #4892)
• Fix the error messages and the exit code of the 'uninstall' command when
  non-existent refs are specified (#4857)
• Be more careful with errors when creating directories and deleting files,
  and address some memory errors (#4930)
• Fix support for --noninteractive in the 'uninstall' command (#4947)

Other changes:

• Cosmetic improvements to end-of-life messages and other aspects of the CLI
  output (#4947)
• Speed up the tests by not installing the polkit agent (#4942)
• Disable fuzzy ref matching when ID has a period or a slash, or when the
  standard input or output is not a TTY (#4829, #4848)
• Update the icon-validator to print the format and size for consumption by
  the dynamic launcher portal (#4803, #4808)
• Remove a pointless test (#4856)
• Improve various details of the GitHub workflows (#4870)
• Prepare for the addition of a Meson build (#4842, #4871, #4888, #4889, #4890)
• Only add the specified 'summary-arches' to the compat summary. This is
  important since we're nearing the 10MB size limit for Flathub's legacy
  summary files. (#4880)
• Translation updates: id, pt, sv, tr, uk

$ sha256sum -b flatpak-1.13.3.tar.xz 
f696a4f6587f72a03c2770352f610938d073798a9e3fc6df6aff463509dbf804 *flatpak-1.13.3.tar.xz

Released: 2022-03-14

Bug fixes:

• Consistently pass relative subpaths to libostree, working around a bug
  in libostree < 2021.6 when used with GLib >= 2.71 (#4805)
• Document have-kernel-module-* as having been added in 1.13.1
• Fix some memory leaks in GVariant data processing

$ sha256sum -b flatpak-1.13.2.tar.xz
27dad03c8478672c0dcbe4d104178c53f49e653a23835c4311f10452236b64b0 *flatpak-1.13.2.tar.xz

Released: 2022-03-14

• We now allow networked access to X11 and PulseAudio services if that is configured, and the application has network access. (#397, #3908, #4702)
• Absolute paths in WAYLAND_DISPLAY now work (#4752)
• Allow apps that were built with Flatpak 1.13.x to export AppStream metadata in share/metainfo (#4350, #4599)
• Most commands now work if /var/lib/flatpak exists but /var/lib/flatpak/repo does not, and will automatically populate the repo directory if possible (#4111)
• Consistently pass relative subpaths to libostree, working around a bug in libostree < 2021.6 when used with GLib >= 2.71 (#4805)
• Fix some memory leaks in GVariant data processing

$ sha256sum -b flatpak-1.12.7.tar.xz
6db52a531ce278282ac7ebfb99f66a0bb3eccaf44e864844c2c95c1ee5ba9316 *flatpak-1.12.7.tar.xz

Dependencies:

• libappstream 0.12.0 or later is now required
• appstream-glib is no longer required
• In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
  executable, version 0.5.0 is now required

New features:

• Create a directory for XDG_STATE_HOME and set the environment variable
  (#4477)
  • Apps requiring a state directory without a dependency on this updated
    Flatpak version can get similar functionality by using:
    --persist=.local/state --unset-env=XDG_STATE_HOME
    which will use the same storage location
• Set HOST_XDG_STATE_HOME environment variable (#4477)
• Add have-kernel-module-foo family of conditionals for extensions, a
  generalization of have-intel-gpu (which is now mostly equivalent to
  have-kernel-module-i915) (#4647)
• Add flatpak document-unexport --doc-id=... (#1897)
• Export Appstream metadata for host system to use (#4350, #4599)
• Add command-line completion for the Fish shell (#3109)
• Add FlatpakTransaction:no-interaction API (#4699)
• We now allow networked access to X11 and PulseAudio services
  if that is configured, and the application has network access.
  (#397, #3908, #4702)
• flatpak build-init automatically sets the build directory to be
  ignored by git (#4741)

Other changes:

• Updated bundled xdg-dbus-proxy to 0.1.3 (#4737)
• Updated bundled bubblewrap to 0.6.1 (#4779)
• The default branch in the Github repository is now named 'main'
• Don't offer options in CLI tab completion unless the user typed a '-'
  (#4753)
• Disable fancy output (e.g. progress bars that get redrawn) when
  G_MESSAGES_DEBUG is set in the environment (#4767)
• Most commands now work if /var/lib/flatpak exists but /var/lib/flatpak/repo
  does not, and will automatically populate the repo directory if
  possible (#4111)
• Disable session bus access for flatpak-spawn --sandbox as intended
  (#4630)
• Make sudo flatpak --user ... fail with an error message, since acting
  on root's per-user installation is unlikely to be what was intended
  (#4638)
• Don't mention "negative" permissions like !host in /.flatpak-info (#4691)
• Improve performance when finding related refs
• Use SHA256 instead of SHA1 to avoid false-positives from static analysis
  (in fact the use of SHA1 was not security-sensitive here) (#4716)
• Create sandbox's XDG_RUNTIME_DIR with 0700 permissions (#3397)
• Always create /.flatpak-info with 0600 permissions
• Absolute paths in WAYLAND_DISPLAY now work (#4752)
• Improve reliability of detecting the current GTK theme (#4754)
• Fix some error code paths when deploying malformed apps
• Improve some error messages
• Use URN for fontconfig DTD, consistent with fontconfig itself (#4617)
• Use type -P or command -v in preference to which(1) (#4696)
• Improve measurement of test coverage (#4681)
• Translation updates: de, fr, hi, hr, id, oc, pl, pt_BR, sv, uk, zh_CN

$ sha256sum flatpak-1.13.1.tar.xz
e81805618a635592918f2c70f80fa1052d684f580db677ff6bf5838863375c2b  flatpak-1.13.1.tar.xz

• Fix a bug that sometimes caused repo corruption in case downloads are
  interrupted or canceled, necessitating a "flatpak repair" to recover
  (#3479, #4258)
• More reliably detect the GTK theme (#4754)
• Fix history command unit test in some edge cases (#4764)
• Improve NEWS for 1.12.5
• Translation update: pt_BR

$ sha256sum flatpak-1.12.6.tar.xz 
ef02cb505b91cce5173099b5485768eef1899ebcf39edf827c4254163a811627  flatpak-1.12.6.tar.xz

• Fixed a case where temrporary data was sometimes left in
  /var/lib/flatpak/appstream, and we now detect such leftover data and
  remove it.
• Fix regressions in flatpak history since 1.9.1
  • Don't display the appstream branch used internally
  • Don't display temporary repositories used internally
  • Warn instead of failing if other non-app, non-runtime refs are found
  • Don't set up an unnecessary polkit agent for flatpak history
  • Add test coverage
• Don't propagate GStreamer-related environment variables into sandbox
• Fix a typo in an error message
• Fix incorrect year in NEWS for 1.12.4 release
• Translation update: pl

$ sha256sum flatpak-1.12.5.tar.xz 
1cb4a0b0b0c1bdffe644011ee8d17e437b4917c21d4384ec111b3f328206166c  flatpak-1.12.5.tar.xz

This is an "old-stable" update for users of the Flatpak 1.8.x branch, such as Red Hat Enterprise Linux 8. In environments that do not need to stay on a specific branch, updating to the newest stable version instead of using this version is recommended. At the time of writing, the newest stable version is 1.12.4.

This is a security update that fixes two issues that were found in flatpak:

GHSA-qpjc-vq3c-572j
(also known as CVE-2021-43860)

This issue is about the possibility for a malicious repository to send
invalid application metadata in a way that hides some of the app
permissions displayed during installation.

GHSA-8ch7-5j3h-g4fx
(also known as CVE-2022-21682)

This issue is a problem with how flatpak-builder uses flatpak, that
can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside of the build directory.

The fix for this is is the addition of a new option
--nofilesystem=host:reset, which in addition to behaving like
--nofilesystem=host, the new option prevents filesystem permissions
from being inherited from the app manifest.

$ sha256sum flatpak-1.8.7.tar.xz 
9d082c81fa733382fc5688b880941e6c82ec671b0a4a4f875b5d66c091a224c3  flatpak-1.8.7.tar.xz

This is an "old-stable" update for users of the Flatpak 1.8.x branch, such as Red Hat Enterprise Linux 8. In environments that do not need to stay on a specific branch, updating to the newest stable version instead of using this version is recommended. At the time of writing, the newest stable version is 1.12.4.

This security update fixes a potential attack where a flatpak application
could use custom formated .desktop files to gain access to files on the
host system. (CVE-2021-21261)
For details, see:
GHSA-4ppf-fxf6-vxg2

This security update also fixes a security vulnerability in the portal
support. Some recently added syscalls were not blocked by the seccomp rules
which allowed the application to create sub-sandboxes which can confuse
the sandboxing verification mechanisms of the portal. This has been
fixed by extending the seccomp rules. (CVE-2021-41133)
For details, see:
GHSA-67h7-w3jq-vh4q

Other changes:

• Don't inherit an unusual $XDG_RUNTIME_DIR setting into the sandbox, fixing
  a regression introduced when CVE-2021-21261 was fixed in 1.8.5 and 1.10.0
• Fix fd confusion in flatpak-spawn --env=... --forward-fd=..., resolving a
  regression introduced in 1.8.5
• Fix deploys of local remotes in system-helper, possibly involving newer
  GLib versions
• Memory leak fixes backported from 1.10.2 and 1.11.2
• File descriptor leak fixes backported from 1.10.2, 1.10.3 and 1.11.2
• Add --enable-asan configure option backported from 1.10.1
• The .profile snippets now disable GVfs when calling flatpak to
  avoid spawning a gvfs daemon when logging in via ssh
• Fix test failures on non-x86_64 systems
• Update Polish translation

$ sha256sum flatpak-1.8.6.tar.xz 
70dc6bb6231c494885dd82f6607a3033b7636c0ad0c399e59f7c760fbffb4de7  flatpak-1.8.6.tar.xz

Released: 2022-01-18

This is a regression fix update, reverting non-backwards-compatible
behaviour changes in the solution previously chosen for CVE-2022-21682.

Flatpak 1.12.3 and 1.10.6 changed the behaviour of --nofilesystem=host
and --nofilesystem=home in a way that was not backwards-compatible in
all cases. For example, some Flatpak users previously used a global
flatpak override --nofilesystem=home or
flatpak override --nofilesystem=host, but expected that individual apps
would still be able to have finer-grained filesystem access granted by the
app manifest, such as Zoom's --filesystem=~/Documents/Zoom:create. With
the changes in 1.12.3, this no longer had the intended result, because
--nofilesystem=home was special-cased to disallow inheriting the
finer-grained --filesystem.

Flatpak 1.12.4 and 1.10.7 return to the previous behaviour of
--nofilesystem=host and --nofilesystem=home. Instead, CVE-2022-21682
will be resolved by a new 1.2.2 release of flatpak-builder, which will
use a new option --nofilesystem=host:reset introduced in Flatpak 1.12.4
and 1.10.7. In addition to behaving like --nofilesystem=host, the new
option prevents filesystem permissions from being inherited from the
app manifest.

Other changes:

• Clarify documentation of --nofilesystem
• Improve unit test coverage around --filesystem and --nofilesystem
• Restore compatibility with older appstream-glib versions, fixing a
  regression in 1.12.3

sha256:

792e6265f7f6d71b2a087028472a048287bed2587e43d2eec2c31d360c16211c *flatpak-1.12.4.tar.xz