| tag name | 1.10.8 (85d23a533538425eef617e547a36f04fc6b2b5f7) |
| tag date | 2023-03-16 14:34:26 +0000 |
| tagged by | Simon McVittie <smcv@collabora.com> |
| tagged object | commit d771946b01... |
| download | flatpak-1.10.8.tar.gz |
|---|
flatpak 1.10.8
Security fixes:
* Escape special characters when displaying permissions and metadata,
preventing malicious apps from manipulating the appearance of the
permissions list using crafted metadata (CVE-2023-28101).
* If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.),
don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100).
Note that this is specific to virtual consoles: Flatpak is not
vulnerable to this if run from a graphical terminal emulator such as
xterm, gnome-terminal or Konsole.
Other bug fixes:
* If an app update is blocked by parental controls policies, clean up the
temporary deploy directory (#5146)
* Fix Autotools build with versions of gpgme that no longer provide
gpgme-config(1) (#5173)
* Fix regressions in `flatpak history` since 1.9.1
- Don't display the appstream branch used internally
- Don't display temporary repositories used internally
- Ignore transaction log entries with empty REF field
- Warn instead of failing if other non-app, non-runtime refs are found
- Don't set up an unnecessary polkit agent for `flatpak history`
- Add test coverage
* Fix a typo in an error message
* Fix incorrect year in NEWS for 1.10.7 release
* Translation update: pl
* Add test coverage for Flatpak's seccomp filters
Git-EVTag-v0-SHA512: 8962500582d542dbbc332ba8fe43866bf57f7d18873edba13dfdc83e7eeb67bb4ed4f0d3688f6978cbfad80709ebdfc0f03826b873027936b259f1b1fd0da2f5
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmQTKPIACgkQ4FrhR4+B
TE+vyhAAk8aNomPVCMP3VOGtfG879IOrPdcB3KzckcGNHpkApV7roSyFjuiM9kh2
zsuJ/MiN7hHhiVQxsxYdkEAaGxmsQTLAWb4Yn3/bMdCDV4Evmlj09QVRVa1zUKZT
/727RTEmL1p6VVyIk2F8oaXAPNYaclP4JyVoeQSeGr+NI5lc7OVBCMsHzK7PEjjl
a7yHEo7cquxt0FVJ1E10DgmUdnxemT1lSQk6pTrnOT+8Mes6pNNLVTUul4oZ5q1U
DxBUg/zpKTzeg/ECeYa+5Ysi5WWJDH8Hltr2dxewN7XGEL8etGrBUD+Ci8S7XS/7
1Wgyo1vrfrDmT74TXWVEkuotwYpQ9Hn2SE+bM6ZZ5mFIqAN89gzHTwfci7Yy0VTh
kUVR8n2onGYowqf5o7dqfhsg6IieRANgqqe+YX5+SwLJ/9iRxal78EpV4u8NMTLL
RpkhwEuES/yzagyx2xVNCBOxy5/n+vazYPR7OLGjx23ymQ7IOxRxr4z9u3ClskVU
KLAuUl5VB0PVhEEjbVU+M40QFHuMsC71zlzATEVG1f96DjvZAKJN7tVoKg1ulOSB
x44v0vMz/QMRrdMItX6FhJoXkbXfiogOOxRxzKHd0FYJWNW+pmOUlu/DGgalrMuj
ZQ3iRNB2J4BH+E4OlJmbzcu4VQ2HzPTiHWR74C7xFfYTsvFXsLY=
=O23S
-----END PGP SIGNATURE-----