2019-03-28 - Antonio Larrosa <email@example.com>
- Add upstream patch to fix a sandbox bypass using the TIOCSTI ioctl
(boo#1130637, CVE-2019-10063, gh#flatpak/flatpak#2782)
2019-02-13 - firstname.lastname@example.org
- Update to version 1.2.3:
+ Don't expose /proc in apply_extra script sandbox. The CVE-2019-5736
runc vulnerability is about using /proc/self/exe to modify the host
side binary from the sandbox. This mostly does not affect flatpak
since the flatpak sandbox is not run with root permissions.
However, there is one case (running the apply_extra script for
system installs) where this happens, so this release contains a fix
- Update to version 1.2.2:
+ Reverted green checkbox as they caused table alignment issues
+ Fix a division by zero if the terminal reports a zero terminal
width (which happens in the flathub build environment).
- Update to version 1.2.1:
+ Ensure flatpak builds with older versions of glib and
+ build-commit-from: Fix the new --extra-id option.
+ build-export: Allow disabling the sandboxing of the icon validator
and do so during the tests.
+ profile: Don't break if debug logging is enabled.
+ Better handling of the appdata release attribute.
+ Don't install polkit agent when not needed, avoiding some
unnecessary log lines in some cases.
+ Fix the output of the sandboxed icon validator not being visible.
+ builld-init: Allow specifying a full ref for the sdk, which is
used to select the branch name when checking sdk extensions.
+ Make the ok checks in the output green
2019-01-28 - email@example.com
- Update to version 1.2.0:
+ Ensure DeployCollectionID works in flatpakrepo files in all
+ Don't error out with empty installations in uninstall.
+ Add helper that validates icon files during export.
+ Don't allow root to modify the (non-root) per-user flatpak
installation, as this risks causing problems later.
+ Remove some incorrect warnings from flatpak repair.
+ Allow multiple name segments after prefix when exporting files.
+ Allow specification of ellipsization in --colums options.
+ Handle dates as well as timestamps in appdata
+ Fixed a bug where flatpak remote-delete removed too many refs.
+ Now we use raw terminal mode during a transaction to a avoid
problems with input during the operation causing problems with
+ Generate a fontconfig directory remapping snippet as will be
needed for newer versions of fontconfig.
+ Support --extra-collection-id in build-commit-from to bind the
commit to multiple collection ids. This is work in progress in
- Add pkgconfig(dconf) BuildRequires: New dependency.
2018-12-13 - firstname.lastname@example.org
- Update to version 1.0.6:
+ This release fixes an issue that lets system-wide installed
applications create setuid root files inside their app dir
(somewhere in /var/lib/flatpak/app). Setuid support is disabled
inside flatpaks, so such files are only a risk if the user runs
them manually outside flatpak. Installing a flatpak system-wide
needs root access, so this isn't a privilege elevation for
+ The permissions of the files created by the apply_extra script
is canonicalized and the script itself is run without any
+ Better matching of existing remotes when the local and remote
configuration differs wrt collection ids.
+ New flatpakrepo DeployCollectionID replaces CollectionID, doing
the same thing. It is recommended to use this instead because
older versions of flatpak has bugs in the support of collection
ids, and this key will only be respected in versions where it
+ The X11 socket is now mounted read-only.
2018-12-13 - email@example.com
- Mark flatpak.sh as %config and move the systemhelper dbus config
file under /usr
- Remove the flatpak-rpmlintrc file that is no longer needed.