-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2026 20:03:53 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: amd64
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha1:
 fa0bae927a67be2bf22608eb78631d6b06054bc8 7616744 flatpak-dbgsym_1.16.6-1~deb13u1_amd64.deb
 35ff5045419a92d9834db110cf8e8f3dbe27d678 10799564 flatpak-tests-dbgsym_1.16.6-1~deb13u1_amd64.deb
 1813edd3ae7cfe928755a848dd0f6bf2198cc9bd 1439476 flatpak-tests_1.16.6-1~deb13u1_amd64.deb
 304c951a00f9512b33c8657039570d01ddfff967 17208 flatpak_1.16.6-1~deb13u1_amd64-buildd.buildinfo
 489cfe0e651683f17f0a4a24d8464388f5c52eca 1543424 flatpak_1.16.6-1~deb13u1_amd64.deb
 61bc18be6ad54153ee5c04277e6650fda1530c91 28112 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_amd64.deb
 b25a9dccad1718254faf7a3bf0c5889f334fc83c 72348 libflatpak-dev_1.16.6-1~deb13u1_amd64.deb
 bb977c55de6dc6f1cf6cce6d37cd5e6c7de67a83 1755116 libflatpak0-dbgsym_1.16.6-1~deb13u1_amd64.deb
 5260b1f6d67add47c82f99c98fc0d467e12bd159 391596 libflatpak0_1.16.6-1~deb13u1_amd64.deb
Checksums-Sha256:
 9d3619af8bbc3208a4cc131dda51f5de7ba9e7d052c36fb8c235b79cd059a8db 7616744 flatpak-dbgsym_1.16.6-1~deb13u1_amd64.deb
 c0a9bfee108c18ba17919d312ce5cea1e15b5b29754779b365d88e7d2f18cbc4 10799564 flatpak-tests-dbgsym_1.16.6-1~deb13u1_amd64.deb
 3ab389443ef9dfe5ac2ac7ae9ddecd9b920a0be02d7df94a1194f3e8872e2339 1439476 flatpak-tests_1.16.6-1~deb13u1_amd64.deb
 f1174460f5fdb68a8c2f30e03b2418feb58f0ffe4e7dfa3e4df5392358fdf581 17208 flatpak_1.16.6-1~deb13u1_amd64-buildd.buildinfo
 b5db09caf661ebb3c273690431abfdb19c0f0075a8bdb89ba027bb951d900b55 1543424 flatpak_1.16.6-1~deb13u1_amd64.deb
 75e0bfc461396a5396727abfc4407f082d81312a598407125929a3196de45888 28112 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_amd64.deb
 560db01d1df3e9537475db38929510020bfb78b6957ea4179a200a58ef092033 72348 libflatpak-dev_1.16.6-1~deb13u1_amd64.deb
 0c50ecfafe47a8b91b6eed6751eee191096a610125e61e42ca15bb5aed608037 1755116 libflatpak0-dbgsym_1.16.6-1~deb13u1_amd64.deb
 2eec3c184c379925a0552cac3798eb9213e36021146c242a9f6ae099ac658a6c 391596 libflatpak0_1.16.6-1~deb13u1_amd64.deb
Files:
 ae1d7562b7bd2661e9a9510dd2b02e25 7616744 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_amd64.deb
 7a765b59f6e936585bb0a761c52fc9dc 10799564 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_amd64.deb
 f66798e58d2b39887adadd3aa45809bf 1439476 misc optional flatpak-tests_1.16.6-1~deb13u1_amd64.deb
 6231d99504dacb6d8da3c9f362910cc3 17208 admin optional flatpak_1.16.6-1~deb13u1_amd64-buildd.buildinfo
 1af495a52f69b5d9f22f9e1ce54984ce 1543424 admin optional flatpak_1.16.6-1~deb13u1_amd64.deb
 c495543fde0186bdb2fb747254b2869e 28112 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_amd64.deb
 c6a69f1a3cfb735a1a57a3ac748ffdf1 72348 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_amd64.deb
 d4889a45469edd1508c9fcdd19e4e943 1755116 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_amd64.deb
 96831f239df7e536d00fa606a03d5d4a 391596 libs optional libflatpak0_1.16.6-1~deb13u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmnZhZcACgkQGNGWmfrq
ILF3CA//WTqzPJYdkY0oRFXDWhK43lgorie6mMHxzKtxnF2v1REu9KMPZmx8tVjY
15ovm1JN0zk+dQhUWnkaHyML4X94dTdBN1HBi/rXPK5rWqu9ECatDQGIsEq0lyep
LLksEtwUultJeJtSTMjh7IUr9B2ITg3OfeSRIgsww5pxK1cxUeaqQM4dQVMyVG3L
vPVZKcIBul/31L+rm2j/whjfGBP0FzmU/hvpVCmOacwjwbruVpCsjr9Ucmq/BsJ1
Zw4Cigk5+CluTtUp2Ah8gHnYcpNBgLeeSBfPw/G2PYZ2OQAIoW5pZbotfRCtUrC3
xO4u+WSNzMhPOEP3QwPZ0etasgSeiq19WuiPh14y8opNeNjwjPbBgOMN6o77mAEP
Ycr/HIpPxMQBfCTA5BLfRNNnPzOCmC89nDkerZI/Lm4D34L/25bK2D7ttlLRdheX
oZVofaK/djdk+Ynd+1KlexT82VQHg74plkgVOS4uK69ObHAEQjoVO1qr7Gx0ViT0
yU9wBa7CQ8WnJOWsutxrJYyeT9bFBTqZDu6HoVfXFF7Y41pLNBanj/x3XRftsQXv
1YUn1gaCaTD31N8g3ANErp3q7vWMU64j7h1ysCVFFBm+v1iVM38yov4r4VbQR6hW
24cflzqwjWRKCuZE16METavsRZ9Bv2XvNhfSC7oVAdwqV8teqag=
=/W8q
-----END PGP SIGNATURE-----