-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2026 20:03:53 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: armhf
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: arm Build Daemon (arm-ubc-05) <buildd_arm64-arm-ubc-05@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha1:
 3c70832f73b4d7304bb0a7a6c4f14b5c8e2c85eb 7130776 flatpak-dbgsym_1.16.6-1~deb13u1_armhf.deb
 a05f0225c9d9c73abb82c1a16f855db8ff56dae3 10071728 flatpak-tests-dbgsym_1.16.6-1~deb13u1_armhf.deb
 d4b91a9a3cb440177024108b9b529fb1f2892956 1164412 flatpak-tests_1.16.6-1~deb13u1_armhf.deb
 659f0304bed780c9d11fdb6d3d4c2472b88f68a0 17074 flatpak_1.16.6-1~deb13u1_armhf-buildd.buildinfo
 7017166075831d0dc64d634604329eb888d74ebc 1380292 flatpak_1.16.6-1~deb13u1_armhf.deb
 70d551cc014de9674badd1ccd6ab63040e9158e7 28112 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_armhf.deb
 3e41187e8d70e11ba348786df04f00d05a5ca665 72356 libflatpak-dev_1.16.6-1~deb13u1_armhf.deb
 d4defca595129e4e781d2b4c91b7c6d7be92b5c5 1707160 libflatpak0-dbgsym_1.16.6-1~deb13u1_armhf.deb
 47886c5411919426abea9335ba815ed786a1fbc8 337180 libflatpak0_1.16.6-1~deb13u1_armhf.deb
Checksums-Sha256:
 cc0995e2cb9e5ce26567e22d45418c9e1cb9dc4c94898c26bfe0ab5ac7a158f3 7130776 flatpak-dbgsym_1.16.6-1~deb13u1_armhf.deb
 94f8c7c995595aabdee7776d6441df89628213a1e9b837211c02d2eaf85c917a 10071728 flatpak-tests-dbgsym_1.16.6-1~deb13u1_armhf.deb
 4258c32faed453c5b90773a615fdfa26a8944c301b892a150293e8ff9d76ea11 1164412 flatpak-tests_1.16.6-1~deb13u1_armhf.deb
 b1a4bd80cda97488861310441f2495287cba86e60bba919e2c7de1cfdcdfdbb5 17074 flatpak_1.16.6-1~deb13u1_armhf-buildd.buildinfo
 3ebf41d47a6aea5cf445ab6fb938a279cecabd70dcf96398e3a068e856a4e624 1380292 flatpak_1.16.6-1~deb13u1_armhf.deb
 cce95f20776703e60daea3a73c8fba1fc3fb6a73ded5c6c2167903406015ffaf 28112 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_armhf.deb
 48c5b006520d77ee5669d0d26c86a600083dff9cd090a47f328532769d2add63 72356 libflatpak-dev_1.16.6-1~deb13u1_armhf.deb
 8795acb67c5853d2bf6ee56da04308f66ca227e726ca9fd4a36ffdf8edede664 1707160 libflatpak0-dbgsym_1.16.6-1~deb13u1_armhf.deb
 e8e27de0b13b89a439ca1668d7a9b66933ac960b1a06e5119adbd0a091ab3881 337180 libflatpak0_1.16.6-1~deb13u1_armhf.deb
Files:
 58cc63b14dfee86a4764c4eeddc5e121 7130776 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_armhf.deb
 2c81d917ecff4582de879100b654f357 10071728 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_armhf.deb
 e2738cc64594b966678031e96d499c11 1164412 misc optional flatpak-tests_1.16.6-1~deb13u1_armhf.deb
 4b1ba988d7550a76e448dad336880c5a 17074 admin optional flatpak_1.16.6-1~deb13u1_armhf-buildd.buildinfo
 520ae6c9c7a64a9a15793e573bef466e 1380292 admin optional flatpak_1.16.6-1~deb13u1_armhf.deb
 ae70f048755c9e7a879f158abd405c29 28112 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_armhf.deb
 bb3f6bd92de2764e56fe6874267f347d 72356 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_armhf.deb
 3bf9addb0165e3d3e685730ea1db568c 1707160 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_armhf.deb
 f886d6815422a88569845675804f0c8e 337180 libs optional libflatpak0_1.16.6-1~deb13u1_armhf.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEiIG3Q3DxwDgRKKeyLRECdjCZQkcFAmnZhawACgkQLRECdjCZ
QkeEWQ//ViFW9oJORr2ECV0c+C4M8AZgocf7S7pOwKdgHzjzmgt0XGGdMOSMTGyX
pgGyJupp0nSb/p9L8cY5RPwzPiQ2py82Mf1faAPECLTnPf3ok5y5n5o9DoncaOd7
3R15QPMimpOL+bVJO3DsnF2ONwCTiEdctQ3IYc/iKXXhMpqd9L/lRYPQXUKOx1WD
5Ex1RAb/niNBFIoYqwOuvEvd2XpSuPpSfbl+IIvVlg9AjmKSQmb2hNe0xAzzfCEb
jwsru+3BGK8xwm1uKaMlcLGyGPmx3oPGtIVY/dUw3fcZb5F9f0xK6BhDXWkIIPw9
YKLkVaH6M1Rlxc57GJBFU0ZuYeFmyX87SGT0cCkK9SiZBT2Hn9hsViifnqmozxXv
D4RUjqqmDmbblQn6jorEPxVXOgp2uvf097AjZ/tYa2OYqbRBJo46ytvl9ocwzcYZ
lqjDX/syJoCIPJTdc8bJaz2joR5AsWzMhtYwRhms+ttWcm5VU33/WS3mIwBc08IV
3HFSTh/IQmHTcvmKp36HRc7//XB2nTZopcSH7uiVdLaLKIFpBme47T94HMDP7lTZ
NOnWKerRT23yTd7uXt/mNqWXc8JV1TCS7G4kUcJ2WWVSewKNaHKoQWYq+/q9tBvo
K2yjQOnTiSwESzHaVexmmOmxALiPnnQI9O57SnS2xwaD9X5Fib8=
=nNqB
-----END PGP SIGNATURE-----