1.10.8
Security fixes backported from 1.14.4:
-
Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101).
-
If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole.
Other bug fixes backported from 1.12.x and 1.14.x:
- If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146)
- Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173)
- Fix regressions in
flatpak history
since 1.9.1- Don't display the appstream branch used internally
- Don't display temporary repositories used internally
- Ignore transaction log entries with empty REF field
- Warn instead of failing if other non-app, non-runtime refs are found
- Don't set up an unnecessary polkit agent for
flatpak history
- Add test coverage
- Fix a typo in an error message
- Fix incorrect year in NEWS for 1.10.7 release
- Translation update: pl
- Add test coverage for Flatpak's seccomp filters
sha256:
65569dbf31344581a1e7782d09e702bb41e7011ae21cd021c414a2925f84b82c *flatpak-1.10.8.tar.xz