Skip to content
Choose a tag to compare

Release 1.12.3

@alexlarsson alexlarsson released this
Choose a tag to compare

This is a security update that fixes two issues that were found in flatpak:

(also known as CVE-2021-43860)

This issue is about the possibility for a malicious repository to send
invalid application metadata in a way that hides some of the app
permissions displayed during installation.


This issue is a problem with how flatpak-builder uses flatpak, that
can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside of the build directory.

The fix for this is done in flatpak by making the --nofilesystem=host
and --nofilesystem=home more powerful. They previously only removed
access to the particular location, i.e. --nofilesystem=host negated
--filesystem=host, but not --filesytem=/some/dir. This is a minor
change in behavior, as it may change the behavior of an override
with these specific options, however it is likely that the new
behavior was the expected one.

Other changes:

  • Extra-data downloading now properly handles compressed content-encodings
    which fixes checksum verification (see #4415)
    Note: In some corner case server setups this may require the extra-data
    checksum to be changed
  • Avoid unnecessary policy-kit dialog due to auto-pinning when installing runtimes
  • Better handling of updates of extensions that exist in multiple repositories
  • Fixed (initial) installation apps with renamed ids
  • Support more pulseaudio configuration, including the one used in WSL2
  • Fixed regression in updates from no-enumerate remotes
  • We now verify checksums of summary caches, to better handle local file
  • Improved cli output for non-terminal targets
  • Flatpak run --session-bus now works
  • Fix build with PyParsing >= 3.0.4
  • Fixed "Since" annotations on FlatpakTransaction signals
  • bash auto completion now doesn't complete on command name aliases
  • Minor improvements to the search command
  • Minor improvements to the list command
  • Minor improvements to the repair command
  • Add more tests
  • Updated translations and docs
$ sha256sum flatpak-1.12.3.tar.xz 
d715f23347d7eb859301c8f0c778a899bb7c9e26dac6ae2a2a4b9fc21cf77b69  flatpak-1.12.3.tar.xz