-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2026 20:03:53 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: armel
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: arm Build Daemon (arm-ubc-03) <buildd_arm64-arm-ubc-03@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha1:
 ab7697a4dded19a5d4247d3fdc44682f06d3b8ad 7129128 flatpak-dbgsym_1.16.6-1~deb13u1_armel.deb
 da1512e0c44aae361e5dc7421be9bd2bec73fd31 10097008 flatpak-tests-dbgsym_1.16.6-1~deb13u1_armel.deb
 e4e493c978400b4e77fbba4ec50859f642b1bb1b 1145008 flatpak-tests_1.16.6-1~deb13u1_armel.deb
 af45570a4aaa7e01052fc2df585351a8274b68df 17060 flatpak_1.16.6-1~deb13u1_armel-buildd.buildinfo
 0ad7dcf12ec83b1712006a873efdf10b68ad0998 1363144 flatpak_1.16.6-1~deb13u1_armel.deb
 6e2ef49c673047ba7bd9824033a7288bd2aa9f7d 28104 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_armel.deb
 9ddf2e87b61cb3d7fdd1d71aa296e0d5418d7c45 72340 libflatpak-dev_1.16.6-1~deb13u1_armel.deb
 bdacdee63141a560fe24e4e369100d2693e9176d 1709052 libflatpak0-dbgsym_1.16.6-1~deb13u1_armel.deb
 0dc7212a1d530d1a498b76932e6438e964d3c0c0 329848 libflatpak0_1.16.6-1~deb13u1_armel.deb
Checksums-Sha256:
 808712779564af744379f6f7508af177c299311a54ae19951b2e052d3ea71245 7129128 flatpak-dbgsym_1.16.6-1~deb13u1_armel.deb
 92628cf1fc13c3df6c1143c4b8a7e1fb6d197bd818c4d78e9bd0dde423319cf3 10097008 flatpak-tests-dbgsym_1.16.6-1~deb13u1_armel.deb
 13d93528b5b01d8cfd95e60af93fdb2b23b4743119d721e2afa9323566140f38 1145008 flatpak-tests_1.16.6-1~deb13u1_armel.deb
 9839b9e4e76837eb075a7b5c75eb68556060d04e306372447e1524a5847d4f4a 17060 flatpak_1.16.6-1~deb13u1_armel-buildd.buildinfo
 9cdcaa577b7eed3d61a1d2282e07e570dfb418e04e370b49c70d4d596f51480e 1363144 flatpak_1.16.6-1~deb13u1_armel.deb
 f41c00ce64aadf6307cbbd24f0828ca7e486edf6af09c2da7b032d2a7f99e5b3 28104 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_armel.deb
 125249284da9581a26b1e464454ca1f84f669358fb0158779419227ebb495442 72340 libflatpak-dev_1.16.6-1~deb13u1_armel.deb
 29ac490170d4078ed6d0390cc251da121232dde972a64be635f4179218a0d82c 1709052 libflatpak0-dbgsym_1.16.6-1~deb13u1_armel.deb
 742b512546b68c74cc858ffc1e3381a2d713106996bd6d5d803bb96b7e914d45 329848 libflatpak0_1.16.6-1~deb13u1_armel.deb
Files:
 66a2527ef15c61ead33278929e298dce 7129128 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_armel.deb
 3ee5ca1e853136d7a4025d6fcfb1a867 10097008 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_armel.deb
 71f23f1724c65a4048957c8918d69218 1145008 misc optional flatpak-tests_1.16.6-1~deb13u1_armel.deb
 12886cd91521f191d06652e77d7262eb 17060 admin optional flatpak_1.16.6-1~deb13u1_armel-buildd.buildinfo
 eb9045aeb38167615c5a918f138291f9 1363144 admin optional flatpak_1.16.6-1~deb13u1_armel.deb
 df54b1714cf5bc1e7c4d017e99a18622 28104 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_armel.deb
 1a88143203d73f749b71f108875d5c06 72340 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_armel.deb
 acc49333eca288ca7254bb17d8df1b54 1709052 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_armel.deb
 06a85518c336c266048c8cf02384cdeb 329848 libs optional libflatpak0_1.16.6-1~deb13u1_armel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE2kd8oHy+LXk/nybqvzDqKQSGl8UFAmnZhc0ACgkQvzDqKQSG
l8WhIRAAxJqudz1wd77NvPG4roAp6BpkbV0WSgnLGs5V3toUqmjQxpE350Vpw9pK
8TGBk4s5D6szAoe4Pkxz6hdHVgzFC4V7C/yN6DG/sckFoeEi1trMDRLSTppfrg5k
6uvKO8H2h+mtvV7pOT6FljwhjIDM8mg+OE1Na2n9dvz2NnKDVwprZHxdw9nDlccC
n5yTD/5s+KBI0D5qgrPlrY+nlfyUMnKWKeDOyPyKWMKSEcOM93874WIScJY1DkiT
Yqd7ShL17E1f9WvVPl9T0h7QRb4Z8+pl9zSN7QZbL2Tp8KJWEPpKbBnOwzRzhNrt
+ogaJ9PkNX85jPQ+yZhQLqGN6jTCsRGkxTbjdhf50UzYqj9rMrL0YMRKXYyWOfKZ
4gQl750AOEhbPdHUixcn+9a9dQEm/mVSHLC/t5pjS00O/Eaa+fqZ6VaJSQZzO6jB
2LOv2ZAG4ZeP2pBTPK1p21FK8I9JYtWXjke9KF4FUWuRieeIyUkM60BPNuowzy/0
YN/BOz6IpaKvN/y/4nCabrH6a6bMtku/zArxjFek7FSgVsWaeHHcf2fCrINBmPN9
IKNwmbI7cMrrYLu3ufXzfz3ZU9nDsM5JE9ZVzKdfRH9Irb6DcaFDBFw5UmVk31vy
nwlFuP/DHsZRAbgCeV/xDyCxDKjG0udfQW7+qqMMU/9aG/deZmM=
=MehG
-----END PGP SIGNATURE-----