-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 10 Apr 2026 23:58:31 BST Source: flatpak Architecture: source Version: 1.16.6-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: Utopia Maintenance Team Changed-By: Simon McVittie Closes: 1132943 1132944 1132945 1132946 Changes: flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high . * Backport new upstream stable release for Debian 13 - Fix a sandbox escape involving symlinks passed to flatpak-portal. A malicious or compromised Flatpak app could exploit this to achieve arbitrary code execution on the host. (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943) - Prevent arbitrary file deletion outside the sandbox by a malicious or compromised Flatpak app (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944) - Prevent a local user from reading any file that is readable by the _flatpak system user. A mitigation is that it would be very unusual for these files not to be readable by the original local user as well. (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946) - Prevent a local user from making another local user unable to cancel an ongoing download of apps or runtimes installed system-wide via the system helper. (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945) - Various fixes for regressions caused when fixing CVE-2026-34078 * Revert changes that are not appropriate for a stable update: - Revert "d/watch: Convert to v5 format, only watch stable (even-numbered) releases" - Revert "Standards-Version: 4.7.3" Checksums-Sha256: f8693a4ea38466ac3e1dddbe357c9e1e72db88ec650176c5ec0ecc23a692b1b2 3741 flatpak_1.16.6-1~deb13u1.dsc 9cc40d786426b525aaac0a5791bd7e53907e6f4412b885d0d05f3c25fb65bb8d 42712 flatpak_1.16.6-1~deb13u1.debian.tar.xz d4d40d758e5869bb745f90472995eae5589b2fb681d024bea0c87e53c18136ab 14950 flatpak_1.16.6-1~deb13u1_source.buildinfo 1e63e7f3fe44b602f34d92a6fe46fd8a3bc6be9460c03c2681e57976c658eec3 1242088 flatpak_1.16.6.orig.tar.xz Checksums-Sha1: dca489c4f782b537d5886f021b54fb71be2fb403 3741 flatpak_1.16.6-1~deb13u1.dsc 1154e7c0756c558c929e7cdb680ffff37036507c 42712 flatpak_1.16.6-1~deb13u1.debian.tar.xz 450b6aa94af815a4ba6f99700a7a654fcda0b3d8 14950 flatpak_1.16.6-1~deb13u1_source.buildinfo 735ac6e954b284d9eeaadcd260b4a20483534323 1242088 flatpak_1.16.6.orig.tar.xz Files: 92f5b3bd1f01c69c8bc10f591c8ff4e3 3741 admin optional flatpak_1.16.6-1~deb13u1.dsc bfb96ae3f07c04f0671d28bf981eb3a2 42712 admin optional flatpak_1.16.6-1~deb13u1.debian.tar.xz fba41629a1efb25e8c08b854742e89b6 14950 admin optional flatpak_1.16.6-1~deb13u1_source.buildinfo 4c18bbd3a7eb15232030605165b263e3 1242088 admin optional flatpak_1.16.6.orig.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmnZgJ4ACgkQI1wJnT6z MHbmHg//T2xba9rv+DnSjGQyrarwKiWUFV5rRbbbS7U0TnpAXiAQS+d06iCh3OeT t+GBWG50lEsW6d2GZ9Cvx4V1ZK/wHGmRPDmcDigjVIy1g4H2S/3/9r2rv9LK+uea NfMiCfExC1ryhvJACEpR3t6I3xWxIpiLsmbGbgqz2oIR0Yvu+0ookb2Oxeq7IGkZ /LJTksnNhfbfrj+SwxDxMFvoMKzwDg7NhiNiQ9Va0Y59lxKHIPxA5h5r4xXTRXnL yTk8PrhxJW7NAjexmfxeIFW5OdTUyTkW97i92w/8TA/XTyAiXQFCtOTQiPb/OI2C YK5NQ3/hg+hL/1Kj03MsN9yRDGwDz7ipUb/q5dvOyIgLr2HPomwX7nZUEdj4BBQi 4Pk6ZYd4+8ayb5w4bZni4hi3xAYSe0ClM1oupLekHS58xXtgrDMKc0p90+EBhwdt ILC0PG5fyI4TRnmy0oRrxpItLgixev3Wp9b4PRsEH4OmhkO6T1vDFEHB3xe4MPqp rvpI5hwlh7d3vEiAQ2ytv2DjSG55QCIZIK8tc7BbNPJ45MBbQokgG5YvEzAG/l8u +fI7va+gE/44cODW/tculgZil5BYINGSzGY+nyJ3sziKK3zAimXlSKrMKnxZ2r+m i4PTIPMe6mJDZ5deXXpGz+doCzBWWZZGUnuAcEkDGI8Opo6a+uY= =/a06 -----END PGP SIGNATURE-----