-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2026 20:03:53 +0100 Source: flatpak Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym Architecture: s390x Version: 1.16.6-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: s390x Build Daemon (ziehrer) Changed-By: Simon McVittie Description: flatpak - Application deployment framework for desktop apps flatpak-tests - Application deployment framework for desktop apps (tests) gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection) libflatpak-dev - Application deployment framework for desktop apps (development) libflatpak0 - Application deployment framework for desktop apps (library) Closes: 1132943 1132944 1132945 1132946 Changes: flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high . * Backport new upstream stable release for Debian 13 - Fix a sandbox escape involving symlinks passed to flatpak-portal. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943) - Prevent arbitrary file deletion outside the sandbox by a malicious or compromised Flatpak app (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944) - Prevent a local user from reading any file that is readable by the _flatpak system user. A mitigation is that it would be very unusual for these files not to be readable by the original local user as well. (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946) - Prevent a local user from making another local user unable to cancel an ongoing download of apps or runtimes installed system-wide via the system helper. (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945) - Various fixes for regressions caused when fixing CVE-2026-34078 * Revert changes that are not appropriate for a stable update: - Revert "d/watch: Convert to v5 format, only watch stable (even-numbered) releases" - Revert "Standards-Version: 4.7.3" Checksums-Sha1: b8941c0172a5cf8443fcd7cd17d5ed2ca4115368 7286076 flatpak-dbgsym_1.16.6-1~deb13u1_s390x.deb a5c230347a2e7cbe741be59d605ac3d84d0699d3 10317424 flatpak-tests-dbgsym_1.16.6-1~deb13u1_s390x.deb 5433ecfb7807d4fa30774d3b9c372077540a7030 1311444 flatpak-tests_1.16.6-1~deb13u1_s390x.deb 88734b22bad9ba144d851045c10dd2b9ffb594ea 17015 flatpak_1.16.6-1~deb13u1_s390x-buildd.buildinfo 62a3984011b1bec12f3194124e69b8ccccffde20 1459216 flatpak_1.16.6-1~deb13u1_s390x.deb 7d8435a15886c7dea0aa8f50e6d0938c6be4ab3f 27988 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_s390x.deb a2b5c3149e9940f13ff0404af5638dded113c7bb 72348 libflatpak-dev_1.16.6-1~deb13u1_s390x.deb 62c66e2bc5e3f9f26b457f05bc9c5ea3bf217533 1740372 libflatpak0-dbgsym_1.16.6-1~deb13u1_s390x.deb 3e43c7a46c20f3365698688ff4933f285719661e 364316 libflatpak0_1.16.6-1~deb13u1_s390x.deb Checksums-Sha256: 849c6f61178c57bc3d7ba04b00ebf51edc0bf4fc40f3cf480c456b721ece4519 7286076 flatpak-dbgsym_1.16.6-1~deb13u1_s390x.deb 282b6af56c224a39e6fd53f1146781f5b88d449dda641545aa7d3a51afd515d6 10317424 flatpak-tests-dbgsym_1.16.6-1~deb13u1_s390x.deb ab90023677b17ee8a6d66f158494095b450e0d222b30ddeb7a5178f7986ffc49 1311444 flatpak-tests_1.16.6-1~deb13u1_s390x.deb 27c391a641954e7877594a2da8f44b725bd860d2b2becc56ea200d685053a63c 17015 flatpak_1.16.6-1~deb13u1_s390x-buildd.buildinfo 68348a7d1e3631494790b81731f184777e2d243ac5ab6f508d5f52471fa5ecc2 1459216 flatpak_1.16.6-1~deb13u1_s390x.deb a07c7eb5bc62857a4b80d23c0b3aa4652b1a9528b45b7e46e22e2532e8e7a9c6 27988 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_s390x.deb 243011b8d1c1ed5e630cb2cb05487c4b4faa50012e9da28373a9a5e5a1f4dd45 72348 libflatpak-dev_1.16.6-1~deb13u1_s390x.deb 3cc41afe28d5674d1de2d26475d9e4c2a76f40825d1fcd6a34229fffcd5cff5f 1740372 libflatpak0-dbgsym_1.16.6-1~deb13u1_s390x.deb 554d2c3630418de6239df75774a087e16bcf5a279e4693bef4b1b4c2d250dd1b 364316 libflatpak0_1.16.6-1~deb13u1_s390x.deb Files: 8c51563c9936d07174580fd8a8742cf7 7286076 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_s390x.deb a0799a32c7866878eaa17f040f24cd60 10317424 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_s390x.deb a74daf25b1b021a5cc8fe5e0c66911b3 1311444 misc optional flatpak-tests_1.16.6-1~deb13u1_s390x.deb 89691f4c4657864fbb261721fd094dc0 17015 admin optional flatpak_1.16.6-1~deb13u1_s390x-buildd.buildinfo e8fe2259d07ae9bf5d3f9affa0fa0231 1459216 admin optional flatpak_1.16.6-1~deb13u1_s390x.deb ce3d1a6312d425ecdf86ee5bce78c568 27988 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_s390x.deb c9b23ea86c47b4325c3feb091fa3bc3d 72348 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_s390x.deb a03a54c3dfc5619b19e5a0945098f2ad 1740372 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_s390x.deb 25c8118697dcc6a3c9ed4b4e641785cd 364316 libs optional libflatpak0_1.16.6-1~deb13u1_s390x.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEl0BM/nR+Oj597wRWMWUFebkHnoQFAmnZhxoACgkQMWUFebkH noSisQ//TbIxRHhpOn0+9DejOK6W13v8PFaobeJzmr7Jt8qsDuxLkGCyMt++T56+ A52Nz2R1HfdxQk1Yn9criVsiLCq8UGCJkTsUQqkF6VhwZn35ZBEDcTfu9XP70hwx Jij+Ay0/wz85mJM1xFRcE102/JZgYYVBOdwf8KUue2ExRiRj/wFE8lF6Ob+K/wHX Ln0YRQN+fdj5VoH0AK0NrBrM6MyEBF9vCpOB1J+kRKlvHLqTxyGvdfHrZCB8UMwi T5XXODm5jQurr8Br1LrTLveOFXmITQile5jia2IRxcHFlyXpyJ8tQoznTE9/O7js WzFs1OCOi451C23R9MZLmQyahF2eL8nHKZcEGE3BoYso6nsrYjnxpckuEIdQB3ZK SIGZTPUux685nJtAiTNXfMIHSoB6Twb/kMgYdxfNs4AFGBwo08ky6Q/SjYuN15c2 DsHKDEjSiVZ+6GDW11x1xsMJbp6hIpf6rFCUpt3iqylslGo5M34XvtaRg5s1Wfwx hDixe/TL2FuqtTaYx51PIhMjGTajr/62TkFtM1VYN7ojUL+zOKWSGgLyJT2K9kNT sDV/LaH/HUwNivMCjTuMBIq+1UVWHe2qTSjfGUyMU472814oqbEVk42EzGXzRU7N vfg/5JOUZcIa5RQhRPmw8aHmF/yk57VMbLPSZQCLSH3E/BstlRc= =FRWa -----END PGP SIGNATURE-----