-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2026 20:03:53 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: riscv64
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: riscv64 Build Daemon (rv-manda-03) <buildd_riscv64-rv-manda-03@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha1:
 998b33206bdf72540188af41e74681bf1ae4548a 7014296 flatpak-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 dd87e739192f351b5dc01e9d7221a7425c282cae 9972216 flatpak-tests-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 c1d0a5be8a8f2fa00118d44662dc90aac1de60cb 1423736 flatpak-tests_1.16.6-1~deb13u1_riscv64.deb
 0c6e07af51e7c9bef5a5b9ed62349e78709f3063 17211 flatpak_1.16.6-1~deb13u1_riscv64-buildd.buildinfo
 8a7e6d73590beb9e9f6647abb35bedce31f42983 1549000 flatpak_1.16.6-1~deb13u1_riscv64.deb
 f44e26eece2d52a7af13728480e0bfb8fd2b3438 28108 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_riscv64.deb
 e5d07e6e85dec721955b84d49f56a22bf081bd4b 72360 libflatpak-dev_1.16.6-1~deb13u1_riscv64.deb
 70edb5f675fdd56b98da1f61210359f89d7af30d 1621948 libflatpak0-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 5ef8a1eb27c53e51a04ee083cbcbaacb45277a45 390184 libflatpak0_1.16.6-1~deb13u1_riscv64.deb
Checksums-Sha256:
 adb7cb7ab9568154ce5ef5efa98eef64bd52b06f1c2a02e192b057e868c751d5 7014296 flatpak-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 3f7a57ae90464a5b006df46d1e513f1ea2d979846acad4d3687b935b5b80406f 9972216 flatpak-tests-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 c21f587f606b8adfc87aa44a4096c545cfe82832a76f2ef9f1ce523ecb947786 1423736 flatpak-tests_1.16.6-1~deb13u1_riscv64.deb
 a6899c7280f45aa032a556a18f16beb7a5d168026164c05fd1559435dd399a93 17211 flatpak_1.16.6-1~deb13u1_riscv64-buildd.buildinfo
 9b43d3bc4e7cdc6ccc5f9254d605c514c167db42cd08a67b145f514a56a357bf 1549000 flatpak_1.16.6-1~deb13u1_riscv64.deb
 9a4317cb4e77dd3a413e6c52fd674caf8a02f5472758901d81c82ec85408bcd0 28108 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_riscv64.deb
 039129ffde1686576c738f31bdf07eab477de59836767cb39ce22b99e6868829 72360 libflatpak-dev_1.16.6-1~deb13u1_riscv64.deb
 61655cb7f769417dd720048e6b6993feabbb4a9cc6843ddea27ebfddd8e242f4 1621948 libflatpak0-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 14aa9c086595d483fe2752db3d0a4c25eeb4ea34ce15b73f97219e406bdc5aed 390184 libflatpak0_1.16.6-1~deb13u1_riscv64.deb
Files:
 aab44fd221e8126e5a8c6c34adf1675c 7014296 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 c02aca8572175b59842c03e329a0334e 9972216 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 c5543b1195e50823e3798d134f9000a2 1423736 misc optional flatpak-tests_1.16.6-1~deb13u1_riscv64.deb
 5ce860638616202441cf4a52f61f9215 17211 admin optional flatpak_1.16.6-1~deb13u1_riscv64-buildd.buildinfo
 5d9d5663a5f18cd15e747022d78f6ab2 1549000 admin optional flatpak_1.16.6-1~deb13u1_riscv64.deb
 dd2ded94ffea15ce34a53781b9779ad8 28108 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_riscv64.deb
 2be77b7ac56f32dbcb26c1165e0826dc 72360 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_riscv64.deb
 e6c7e14d29cd10206c7f229c06422bb2 1621948 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_riscv64.deb
 a662acdd2c91cafdaa9d663df191b135 390184 libs optional libflatpak0_1.16.6-1~deb13u1_riscv64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXZ9jHPkg/vETgMJZlJNduPxUf2oFAmnZi14ACgkQlJNduPxU
f2pI1A//UjAbV8OJm2Thes6A2aguHtY+HZdrnpEB6KIFa403sKf6COJsDvDgvJIR
xIJKk1whaEq17HILSqhRD1E3DRw1EC2vYpJnbzLUpdjfb+8JXSKkO5C8Bb0KqVO8
rqNuvgggmKm1LOhUHbCYl+HyJeAVwNm74H0C5HPlT1Bw7RdlaD8ee94nSRwEsIow
zHR/XUhP80tHk6kVe14u3ovrsMv06sFzWhfkroqeWOlmrcJM6NvRrq0CyLtcpJuN
Br+lYx3GhFHO++RFjh6PLnXFfrdFuBisvfqi/PoaNhaKxrH4TVJ82j2MFfpwbkJO
dl9vSfRT38VDXyrgb6iGZ0HpY0Hm9d4ypN7Cj4uXzEahKdYq6aQhlbuVGDvXBhEa
/HFwtKMSmjop4TCAbjJ3cCPy40Cr9WBaEQBBX0unp7G/Wiwjpz/+EahM5U5ejzY2
Pyaa1X0XylWJWZ4XkF0E3h1SMW3UO63i5AfLZ4lSFX6CM/oQVF+U47MS9drjX+te
emv8mJNGBhkGXMfpuzqvhxy4yLYYFBiDRiJMCuye6IqdQ2nxlNTlOt+0L23BsDig
yxVbwEArkaKsyQKAKTc2CXUh6L9O7danwFv89xDJgEFHkvdxuq9YZG/8tZjIrO8s
eENONnFuBYAce+LWWyVzhWPq9KtMoqpTmI65M7TaQ/sPOsRf/rI=
=g4q9
-----END PGP SIGNATURE-----