Tags: pabloyoyoista/flatpak
Tags
flatpak 1.15.8 Security fixes: * Don't allow an executable name to be misinterpreted as a command-line option for bwrap(1). This prevents a sandbox escape where a malicious or compromised app could ask xdg-desktop-portal to generate a .desktop file with access to files outside the sandbox. (CVE-2024-32462) Other bug fixes: * Pass the -export-dynamic linker option as -Wl,-export-dynamic, fixing build failures with clang 18 and lld 18 (flatpak#5760) * Fix a double-free when installation is cancelled (flatpak#5763) * Fix installed-tests failure with "FUSERMOUNT: unbound variable" (flatpak#5751) * Translation updates: pt_BR (flatpak#5762), tr (flatpak#5761) Git-EVTag-v0-SHA512: 6bb3122c4a22c23543d587bf1373bb73a64533affc5208847026ae28dc81f5fd16587a05e8c5f77ebafb522027e2e08173e4f31921183401b9259011e41384fa
flatpak 1.15.7 Dependencies: * The Meson build system is now required. Compiling with Autotools is no longer possible. * In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.9.0 is recommended. Several of the bug fixes listed below will not be active if an older version is used. * In distributions that compile Flatpak to use a separate xdg-dbus-proxy executable, version 0.1.5 is recommended. * If libmalcontent (parental controls) is enabled, it must be version 0.5.0 or later. New features: * Automatically remove obsolete driver versions and other autopruned refs (flatpak#5632) * `--socket=inherit-wayland-socket` (flatpak#5614) * Automatically reload D-Bus session bus configuration after installing or upgrading apps, to pick up any exported D-Bus services (flatpak#3342) Bug fixes: * Update included copy of bubblewrap to version 0.9.0: * `--symlink` is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (flatpak#2387, flatpak#3477, flatpak#5255) * Report a better error message if `mount(2)` fails with `ENOSPC` * Fix a double-close on error reading from `--args`, `--seccomp` or `--add-seccomp-fd` argument * Improve memory allocation behaviour * Silence various compiler warnings * Update included copy of bubblewrap to version 0.1.5: * Fix handling of long object paths * Don't parse `<developer><name/></developer>` as the application name (flatpak#5700) * Don't refuse to start apps when there is no D-Bus system bus available (flatpak#5076) * Don't try to repeat migration of apps whose data was migrated to a new name and then deleted (flatpak#5668) * Improve handling of mixed locales on systems with systemd-localed (flatpak#5497) * Improve display of ellipsized columns in wide terminals (flatpak#5722) * Make `flatpak info -e` look for extensions in all installations (flatpak#5670) * Fix warnings from newer GLib versions (flatpak#5660, flatpak#5737) * Always set the `container` environment variable (flatpak#5610) * Always let the app inherit redirected file descriptors (flatpak#5626) * In `flatpak ps`, add xdg-desktop-portal-gnome to the list of backends we'll use to learn which apps are running in the background (flatpak#5729) * Don't use `WAYLAND_SOCKET` unless given `--socket=inherit-wayland-socket` (flatpak#5614) * Use `fusermount3` if compiled with FUSE 3, overridable with `-Dsystem_fusermount` compile-time option (flatpak#5104) * Avoid leaking a temporary variable from /etc/profile.d/flatpak.sh into the shell environment (flatpak#5574) * Improve async-signal safety (flatpak#5687) * Fix various memory leaks (flatpak#5683, flatpak#5690, flatpak#5691) * Avoid undefined behaviour of signed left-shift when storing object IDs in a hash table (flatpak#5738) * Detect the correct gtk-doc when cross-compiling (flatpak#5650) * Detect the correct wayland-scanner when cross-compiling (flatpak#5596) * Documentation improvements (flatpak#5659, flatpak#5677, flatpak#5682, flatpak#5664, flatpak#5719) * Skip more tests when FUSE isn't available (flatpak#5611) * Translation updates (flatpak#5602, flatpak#5707) Git-EVTag-v0-SHA512: db8fc26de3ac72e7ec53a0a63401542c268e3d25c6ff2540ef062a073ae8ba3c9e894ae29575e757db5a7253deee36dcb1241776585eb7f3b6c889c308cd8792
flatpak 1.15.6 Dependencies: * In distributions that compile Flatpak to use a separate bubblewrap (bwrap) executable, version 0.8.0 is now required. * Enabling the optional Wayland security context feature requires libwayland-client, wayland-scanner >= 1.15 and wayland-protocols >= 1.32. * Ubuntu 18.04 is no longer routinely tested. Support for dependency versions included in Ubuntu 18.04 should be considered "at risk". Features: * Add --device=input, for access to evdev devices in /dev/input (flatpak#5481) * Update bundled copy of bubblewrap to version 0.8.0, and rely on its features: * Improve error message if seccomp is disabled in kernel config * Security hardening: set user namespace limit to 0, to prevent creation of nested user namespaces in a more robust way (flatpak#5084) * For subsandboxes started by flatpak-portal, inherit environment variables from the `flatpak run` that started the original instance rather than from flatpak-portal, fixing behaviour of FLATPAK_GL_DRIVERS and similar features (flatpak#5278) * Stop http transfers if a download in progress becomes very slow (flatpak#5519) * Make it easier to configure extra languages, by picking them up from AccountsService if configured there (flatpak#5006) * Add new flatpak_transaction_add_rebase_and_uninstall() API, allowing end-of-life apps to be replaced by their intended replacement more reliably (flatpak#3991) * Create a private Wayland socket with the "security context" extension if available, allowing the compositor to identify connections from sandboxed apps as belonging to the sandbox (flatpak#4920, flatpak#5507, flatpak#5558) * Update libglnx to 2023-08-29 * Use features of newer GLib versions if available * Turn off system-level crash reporting infrastructure during some unit tests that involve intentional assertion failures * Add anchors to link to sections of flatpak-metadata documentation (flatpak#5582) * New translations: ka, nl. Bug fixes: * Avoid warnings processing symbolic links with GLib >= 2.77.0, and with GLib 2.76.0 (GLib 2.76.1 or later silences these warnings) * Bypass page cache for backend requests in revokefs, fixing installation errors with libostree 2023.4 (flatpak#5452) * Show AppStream metadata in `flatpak remote-info` as intended (flatpak#5523; regression in 1.9.1) * Don't let Flatpak apps inherit VK_DRIVER_FILES or VK_ICD_FILENAMES from the host system, which would be wrong for the sandbox (flatpak#5553) * Fix build failure with prereleases of libappstream 0.17.x (flatpak#5472) * Forward-compatibility with libappstream 1.0 (flatpak#5563) * Fix installation with Meson if configured with -Dauto_sideloading=true (flatpak#5495) * Fix a memory leak (flatpak#5329) * Fix compiler warnings (flatpak#5362, flatpak#5366) * Make the tests fail more comprehensibly if a required tool is missing (flatpak#5020) * Clean up `/var/tmp/flatpak-cache-*` directories on boot (flatpak#1119) * Don't force `GIO_USE_VFS=local` for programs launched via flatpak-spawn (flatpak#5567) * Clarify documentation for D-Bus name ownership (flatpak#5582) * Translation updates: id, tr, zh_CN (flatpak#5332, flatpak#5565) Internal changes: * Split up large source files into smaller modules, reducing internal circular dependencies (flatpak#5410, flatpak#5411, flatpak#5415, flatpak#5419, flatpak#5416, flatpak#5414) * Re-synchronize code backported from GLib with the version in GLib (flatpak#5410) * Make the flags used to apply "extra data" clearer (flatpak#5466) * Use glnx_opendirat() where possible (flatpak#5527) * CI improvements (flatpak#5374, flatpak#5381) Git-EVTag-v0-SHA512: 89a8b1248147640dc1729a4ee42a2bec5e887d97ece9eb7dcf1a11ae03c40a7eabb3d25eb9a8ab7be4548c68f4b9a5d6a6c3902d3912c8748aea1879de8b80b6
flatpak 1.15.4 Security fixes: * Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101). * If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole. Other bug fixes: * Document the path used for `flatpak override` * Translation updates: oc, pl, ru, sv, tr Git-EVTag-v0-SHA512: da193fee33f3108222ff5e3b48fdd6c41ff5215fd0e556864f597f3a81d521fa794ec1c6918b67c0efe47b9be0a03181d2a1f2ab9910fdb8479d3f5da65372d5
flatpak 1.15.3 Build system: * Building this version of Flatpak with Meson is recommended. The source release flatpak-1.15.3.tar.xz no longer contains Autotools-generated files, although this version can still be built using Autotools after running `./autogen.sh`. Future versions are likely to remove the Autotools build system. Bug fixes: * When splitting an upgrade into two steps (download without installing, and then upgrade without allowing further downloads) like GNOME Software does, if an app is marked EOL and superseded by a replacement, don't remove the superseded app in the first step, which would result in the replacement incorrectly not being installed (flatpak#5172) * Fix a crash when --socket=gpg-agent is used (flatpak#5095) * Fix a crash when listing apps if one of them is broken or misconfigured (flatpak#5293) * If an app has invalid syntax in its overrides or metadata, mention the filename in the error message (flatpak#5293) * Unset $GDK_BACKEND for apps, ensuring GTK apps with --socket=fallback-x11 can work (flatpak#5303) * Fix a deprecation warning when compiled with curl >= 7.85 (flatpak#5284) * Translation updates: es, ru (flatpak#5266, flatpak#5312, flatpak#5313) Internal changes: * Better diagnostic messages for why runtimes are or are not considered unused (flatpak#5237) Git-EVTag-v0-SHA512: a440a346d1107375245c3013c6b2d044eb187302bc6e4d1db66ec8c7b1a2353ee5b5edf8779d9378ea5c482619c40f003ccd7a3d9825a45f99ae356ac3db2a16
flatpak 1.15.2 Bug fixes: * Never try to export a parent of reserved directories as a --filesystem, for example /run, which would prevent the app from starting (flatpak#5205, flatpak#5207) * Never try to export a --filesystem below /run/flatpak or /run/host, which could similarly prevent the app from starting * The above change also fixes apps not starting if a --filesystem is a symlink to the root directory (flatpak#1357) * Show a warning when the --filesystem exists but cannot be shared with the sandbox (flatpak#1357, flatpak#5035, flatpak#5205, flatpak#5207) * Display the intended messages for `flatpak repair` (flatpak#5204) * Exporting an app to an existing repository on a CIFS filesystem now works as intended (flatpak#5257) * Unset $GIO_EXTRA_MODULES for apps, avoiding misbehaviour in some GLib apps when set to a path on the host (flatpak#5206) * Unset $XKB_CONFIG_ROOT for apps, avoiding crashes in GTK and Qt apps under Wayland when this variable is set to a path not available in the sandbox (flatpak#5194) * When using the fish shell, avoid duplicate XDG_DATA_DIRS entries if the profile script is sourced more than once (flatpak#5198) * Update included copy of bubblewrap to 0.7.0 for better error messages * Install SELinux files correctly when building with Meson * Translation updates: ru, tr (flatpak#5256, flatpak#5262) Internal changes: * Update included copy of libglnx * flatpak -v now uses the INFO log level, and flatpak -vv uses the DEBUG log level in the flatpak log domain. Previously, the extra messages that were logged by flatpak -vv were in a separate "flatpak2" log domain. G_MESSAGES_DEBUG=flatpak previously had an effect similar to flatpak -v, and is now more similar to flatpak -vv. (flatpak#5001) Git-EVTag-v0-SHA512: 1f4eb9112c79cbd33fe8a4d9ac9f3cadbcdae0bd02ae5361588e6fb37eae41ffcebe466c204f531fbc69012aadc86268c588d20507e10fab99e7bca0c19f29b2
flatpak 1.15.1 Dependencies: * When building with Meson, gpgme 1.8.0 is now required. Older versions can still be used by building with Autotools. Features: * If an old temporary deploy directory was leaked by versions before flatpak#5146, clean it up the next time the same app is updated (flatpak#5164) Bug fixes: * If an app update is blocked by parental controls policies, clean up the temporary deploy directory (flatpak#5146) * Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (flatpak#5173) * Fix a possible parallel build failure with Meson (flatpak#5165) * Fix a compiler warning on 32-bit architectures (flatpak#5148) * When building with Autotools, be more consistent about applying compiler warning flags (flatpak#5149) * Unset $TEMP, $TEMPDIR and $TMP for apps, the same as $TMPDIR (flatpak#5168) * Treat /efi the same as /boot/efi (flatpak#5155) Git-EVTag-v0-SHA512: 7afbdf3846d86e1e1b5459e71ee499ee338068a6929203c151705a9da5d117efe4fb752fc9d2a17610fa034aec6c7326a0f43482663b5971f9e80757dad9393b
Release 1.14.0 Git-EVTag-v0-SHA512: 3f5df2dee0fbe44de0f67bf1ab908cb1ad6b6c22a7989c77c01f059d758255921652ab866228a81461fba9a54985bd73a9dd423b12f418190f2abbc6f3fa2730 ExtendedVerify-SHA256-archive-tar: 9dc1a19cfce209ed8c740a84ee14a4d4cf331e04b876366d04361b4744c2c19e ExtendedVerify-git-version: git version 2.37.2
Release 1.13.3 Git-EVTag-v0-SHA512: cf7729c853e962700650f01d8132bc4b21f67217e93bfafdbb0cb52e22e52ee46990951971ef26acc618fae0a48f73ebade3ff265596cbbdb67120b987aa8651 ExtendedVerify-SHA256-archive-tar: 8e0a350e8a6394a7b64824f45daeac499a5f03d1222b0620738fe85287740f9f ExtendedVerify-git-version: git version 2.36.1
PreviousNext