Tags: flatpak/flatpak
Tags
flatpak 1.14.4 Security fixes: * Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. Other bug fixes: * Translation update: pl Git-EVTag-v0-SHA512: a83091c2a471dbb072f231e53ebe24edab3ecfdfd99fdbc6aa2d11a56441fe8117f01a3c6244e83cac7a603273e338309c72e527badf86c4ab2e0c8471a86b8e
flatpak 1.12.8 Security fixes: * Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. Other bug fixes: * Update the SELinux module to explicitly permit the system helper have read access to /etc/passwd and systemd-userdbd, read and lock access to /var/lib/flatpak, and watch files inside $libexecdir (#4852, #4855, #4892; Red Hat #2071217, #2071215, #2070741, #2053634, #2070350) * If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146) * Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173) * Remove some unreachable code (Coverity: CID 1514265) * Add missing handling for some D-Bus errors Git-EVTag-v0-SHA512: b8360cfc1de210ab96fd73547a1c6c99e4b75a9baa9485b8edb8b88300524132598f3b645a04b649a67a11f2e51846579f9886e000e7940686f60b6411627103
flatpak 1.10.8 Security fixes: * Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. Other bug fixes: * If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146) * Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173) * Fix regressions in `flatpak history` since 1.9.1 - Don't display the appstream branch used internally - Don't display temporary repositories used internally - Ignore transaction log entries with empty REF field - Warn instead of failing if other non-app, non-runtime refs are found - Don't set up an unnecessary polkit agent for `flatpak history` - Add test coverage * Fix a typo in an error message * Fix incorrect year in NEWS for 1.10.7 release * Translation update: pl * Add test coverage for Flatpak's seccomp filters Git-EVTag-v0-SHA512: 8962500582d542dbbc332ba8fe43866bf57f7d18873edba13dfdc83e7eeb67bb4ed4f0d3688f6978cbfad80709ebdfc0f03826b873027936b259f1b1fd0da2f5
flatpak v1.14.3 Bug fixes: * When splitting an upgrade into two steps (download without installing, and then upgrade without allowing further downloads) like GNOME Software does, if an app is marked EOL and superseded by a replacement, don't remove the superseded app in the first step, which would result in the replacement incorrectly not being installed (#5172) * Fix a crash when `--socket=gpg-agent` is used (#5095) * Fix a crash when listing apps if one of them is broken or misconfigured (#5293) * If an app has invalid syntax in its overrides or metadata, mention the filename in the error message (#5293) * Unset `$GDK_BACKEND` for apps, ensuring GTK apps with `--socket=fallback-x11` can work (#5303) * Never try to export a parent of reserved directories as a `--filesystem`, for example `/run`, which would prevent the app from starting (#5205, #5207) * Never try to export a `--filesystem` below `/run/flatpak` or `/run/host`, which could similarly prevent the app from starting * The above change also fixes apps not starting if a `--filesystem` is a symlink to the root directory (#1357) * Show a warning when the `--filesystem` exists but cannot be shared with the sandbox (#1357, #5035, #5205, #5207) Git-EVTag-v0-SHA512: c87becc8f0d6650a0904cc46db572ce71f2ec0a2098425caa5ba604d0b4395c160f4760a33b252a29e22fbb2b8db14aefd224721dfb26c536f2db41f781d4d28
flatpak 1.15.3 Build system: * Building this version of Flatpak with Meson is recommended. The source release flatpak-1.15.3.tar.xz no longer contains Autotools-generated files, although this version can still be built using Autotools after running `./autogen.sh`. Future versions are likely to remove the Autotools build system. Bug fixes: * When splitting an upgrade into two steps (download without installing, and then upgrade without allowing further downloads) like GNOME Software does, if an app is marked EOL and superseded by a replacement, don't remove the superseded app in the first step, which would result in the replacement incorrectly not being installed (#5172) * Fix a crash when --socket=gpg-agent is used (#5095) * Fix a crash when listing apps if one of them is broken or misconfigured (#5293) * If an app has invalid syntax in its overrides or metadata, mention the filename in the error message (#5293) * Unset $GDK_BACKEND for apps, ensuring GTK apps with --socket=fallback-x11 can work (#5303) * Fix a deprecation warning when compiled with curl >= 7.85 (#5284) * Translation updates: es, ru (#5266, #5312, #5313) Internal changes: * Better diagnostic messages for why runtimes are or are not considered unused (#5237) Git-EVTag-v0-SHA512: a440a346d1107375245c3013c6b2d044eb187302bc6e4d1db66ec8c7b1a2353ee5b5edf8779d9378ea5c482619c40f003ccd7a3d9825a45f99ae356ac3db2a16
flatpak 1.15.2 Bug fixes: * Never try to export a parent of reserved directories as a --filesystem, for example /run, which would prevent the app from starting (#5205, #5207) * Never try to export a --filesystem below /run/flatpak or /run/host, which could similarly prevent the app from starting * The above change also fixes apps not starting if a --filesystem is a symlink to the root directory (#1357) * Show a warning when the --filesystem exists but cannot be shared with the sandbox (#1357, #5035, #5205, #5207) * Display the intended messages for `flatpak repair` (#5204) * Exporting an app to an existing repository on a CIFS filesystem now works as intended (#5257) * Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib apps when set to a path on the host (#5206) * Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps under Wayland when this variable is set to a path not available in the sandbox (#5194) * When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the profile script is sourced more than once (#5198) * Update included copy of bubblewrap to 0.7.0 for better error messages * Install SELinux files correctly when building with Meson * Translation updates: ru, tr (#5256, #5262) Internal changes: * Update included copy of libglnx * flatpak -v now uses the INFO log level, and flatpak -vv uses the DEBUG log level in the flatpak log domain. Previously, the extra messages that were logged by flatpak -vv were in a separate "flatpak2" log domain. G_MESSAGES_DEBUG=flatpak previously had an effect similar to flatpak -v, and is now more similar to flatpak -vv. (#5001) Git-EVTag-v0-SHA512: 1f4eb9112c79cbd33fe8a4d9ac9f3cadbcdae0bd02ae5361588e6fb37eae41ffcebe466c204f531fbc69012aadc86268c588d20507e10fab99e7bca0c19f29b2
flatpak 1.14.2 Bug fixes: * Display the intended messages for `flatpak repair` (#5204) * Exporting an app to an existing repository on a CIFS filesystem now works as intended (#5257) * Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib apps when set to a path on the host (#5206) * Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps under Wayland when this variable is set to a path not available in the sandbox (#5194) * Unset $KRB5CCNAME for apps * When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the profile script is sourced more than once (#5198) Internal changes: * The INFO log level is now treated the same as the DEBUG log level by `flatpak -v`, to make backports from 1.15.x simpler Git-EVTag-v0-SHA512: 4105887de752427fab1a5e08ca870b2d4d0b06b26588e4755aaba907a96d0693e1249bedf10013f09bbbfa6db34b29b503056f0ccf0ea385cf4c05c6fb49f12f
flatpak 1.14.1 New features: * Add a httpbackend variable to flatpak.pc, allowing dependent projects like GNOME Software to detect whether they are compatible with libflatpak (#5054) Bug fixes: * Terminate the flatpak-session-helper and flatpak-portal services when the session ends, so that applications will not inherit outdated Wayland and X11 socket addresses (#5068) * When using `fish` shell, don't overwrite a previously-set XDG_DATA_DIRS (#5123) * Don't try to enable HTTP 2 if linked to a libcurl version that doesn't support it (#5074) * Stop systemd reporting the session-helper as failed when terminated by a signal (#5129) * Fix a warning when listing a document with no permissions (#5055) * Fix compilation with GLib 2.66.x (as used in Debian 11) (#5062) * Fix compilation with GLib 2.58.x (as used in Debian 10) (#5066) * Fix a compiler warning on 32-bit architectures (#5148) * If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146) * Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173) * When building with Autotools, be more consistent about applying compiler warning flags (#5149) * Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR (#5168) * Treat /efi the same as /boot/efi (#5155) * Make generated files more reproducible (#5085) * Translation updates: cs, id, pl, pt_BR (#5052, #5056, #5059, #5126) Internal changes: * Update project logo in README (#5119) Git-EVTag-v0-SHA512: 50f6c1134c20a8f0c676a36bebd2e2782fa8f52490365ab0a96c24981fd1ccf0bbbe5370decfc0782af04f0299a10481656a12d5f826616bf94ec0ae9f45f8bd
flatpak 1.15.1 Dependencies: * When building with Meson, gpgme 1.8.0 is now required. Older versions can still be used by building with Autotools. Features: * If an old temporary deploy directory was leaked by versions before #5146, clean it up the next time the same app is updated (#5164) Bug fixes: * If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146) * Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173) * Fix a possible parallel build failure with Meson (#5165) * Fix a compiler warning on 32-bit architectures (#5148) * When building with Autotools, be more consistent about applying compiler warning flags (#5149) * Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR (#5168) * Treat /efi the same as /boot/efi (#5155) Git-EVTag-v0-SHA512: 7afbdf3846d86e1e1b5459e71ee499ee338068a6929203c151705a9da5d117efe4fb752fc9d2a17610fa034aec6c7326a0f43482663b5971f9e80757dad9393b