Skip to content

1.10.8
Compare
Choose a tag to compare
@smcv smcv released this 16 Mar 14:45
· 1038 commits to main since this release
1.10.8
d771946

Security fixes backported from 1.14.4:

  • Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-2023-28101).

  • If a Flatpak app is run on a Linux virtual console (tty1, tty2, etc.), don't allow copy/paste via the TIOCLINUX ioctl (CVE-2023-28100). Note that this is specific to virtual consoles: Flatpak is not vulnerable to this if run from a graphical terminal emulator such as xterm, gnome-terminal or Konsole.

Other bug fixes backported from 1.12.x and 1.14.x:

  • If an app update is blocked by parental controls policies, clean up the temporary deploy directory (#5146)
  • Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1) (#5173)
  • Fix regressions in flatpak history since 1.9.1
    • Don't display the appstream branch used internally
    • Don't display temporary repositories used internally
    • Ignore transaction log entries with empty REF field
    • Warn instead of failing if other non-app, non-runtime refs are found
    • Don't set up an unnecessary polkit agent for flatpak history
    • Add test coverage
  • Fix a typo in an error message
  • Fix incorrect year in NEWS for 1.10.7 release
  • Translation update: pl
  • Add test coverage for Flatpak's seccomp filters

sha256:

65569dbf31344581a1e7782d09e702bb41e7011ae21cd021c414a2925f84b82c *flatpak-1.10.8.tar.xz
Assets 3