-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2026 20:27:40 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: mips64el
Version: 1.14.10-1~deb12u2
Distribution: bookworm-security
Urgency: high
Maintainer: mipsel Build Daemon (mipsel-osuosl-03) <buildd_mips64el-mipsel-osuosl-03@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946 1132960 1132968
Changes:
 flatpak (1.14.10-1~deb12u2) bookworm-security; urgency=high
 .
   * Security update
   * d/p/CVE-2026-34078-prep/*.patch:
     Backport libglnx changes required to address CVE-2026-34078
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/portal-Use-G_LOCK_DEFINE_STATIC.patch,
     d/p/portal-Don-t-run-method-invocations-in-a-thread.patch:
     Add patches from upstream flatpak-1.14.x branch (which never got into a
     release before the branch was discontinued), originally from 1.16.1,
     fixing a thread-safety issue in flatpak-portal
   * d/p/1.16.5/*.patch:
     Add regression fixes taken from the upstream 1.16.5 release,
     fixing various regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132960)
   * d/p/1.16.6/*.patch:
     Add regression fixes taken from the upstream 1.16.6 release,
     fixing additional regressions introduced by fixing CVE-2026-34078
     and improving test coverage
     (Closes: #1132968)
     - d/control: Add curl(1) to Build-Depends and flatpak-tests Depends
   * d/p/1.16.7/bwrap-Clarify-a-comment.patch,
     d/p/dir-Silence-a-spurious-warning-when-installing-extra-data.patch:
     Silence a spurious warning seen while testing 1.16.6
Checksums-Sha1:
 25c81baa3d3a37538267c12c582298d133aef9b4 6773324 flatpak-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 719c7c56b5cb2f5cad8cac90f2cf57b348b3a2c7 10620240 flatpak-tests-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 4e3eb49f2bc6725681e776fa55161523fcea4502 923652 flatpak-tests_1.14.10-1~deb12u2_mips64el.deb
 8ff3d839ab222dda5217e2059b03e695d0aec814 14852 flatpak_1.14.10-1~deb12u2_mips64el-buildd.buildinfo
 89d55c29e164e74e930dbc7e0d185f950f86c583 1219912 flatpak_1.14.10-1~deb12u2_mips64el.deb
 bf75c8598600ee59bf274e03b2a69d37fa91f192 25888 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_mips64el.deb
 51daf0af16cfa1c5705d7204491db3dc39536c47 69328 libflatpak-dev_1.14.10-1~deb12u2_mips64el.deb
 4292a2ede581b6835d580e1c91ae1f85b6315d9b 1642844 libflatpak0-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 41f4fa30d5647bcd4927cfba69f171ea6ad3abd1 302528 libflatpak0_1.14.10-1~deb12u2_mips64el.deb
Checksums-Sha256:
 a7c363524db0d7e99e3aeb8c92aded5d149ccf57bbbcaa068fb5a2acdb4a9db0 6773324 flatpak-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 15bcd86e1d52376369568e54169d05c68abb33cd9a7ac5abe5583b8d381e5e66 10620240 flatpak-tests-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 6380ff342fce00ae1ec9c2e9e445095fb31464add62a3c5736e47fc4336fb048 923652 flatpak-tests_1.14.10-1~deb12u2_mips64el.deb
 715d51a8e8fff5a1f80a1b27091f50a40b7a950f1937884813cd07df33273dc2 14852 flatpak_1.14.10-1~deb12u2_mips64el-buildd.buildinfo
 eb1407c30100901aaad5d9bb65365853eafb26ef952c6560a36f0abdfe3854c6 1219912 flatpak_1.14.10-1~deb12u2_mips64el.deb
 4709a3300839471ff7373e48594f96261fdafcbab9ac1b0ee97942b3f1e2fc2e 25888 gir1.2-flatpak-1.0_1.14.10-1~deb12u2_mips64el.deb
 b02c037647b4a0fbc4f78372e6ee2b88798ef21a9b7ee313fe1b395644f231dc 69328 libflatpak-dev_1.14.10-1~deb12u2_mips64el.deb
 cdbff9f5a3718da038e4c57c986ecd8a1ffe1d0271e5d7d126b30099a7d36793 1642844 libflatpak0-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 f13667a03b41309887737cd3e676592433b0f75fed28ca2c2bcbc07844e7a181 302528 libflatpak0_1.14.10-1~deb12u2_mips64el.deb
Files:
 a14972850ea4c7262522af59cfb5c526 6773324 debug optional flatpak-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 d0ff42422e6a48265f230229a436db7b 10620240 debug optional flatpak-tests-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 0a74dcbd82a6489601ccf20885a32e95 923652 misc optional flatpak-tests_1.14.10-1~deb12u2_mips64el.deb
 829502ca99ece34651f0f5cf1f68db71 14852 admin optional flatpak_1.14.10-1~deb12u2_mips64el-buildd.buildinfo
 012014bda826a4a3c3f62c6821e231be 1219912 admin optional flatpak_1.14.10-1~deb12u2_mips64el.deb
 1807ada69b34335ac37a888d1d2c97a9 25888 introspection optional gir1.2-flatpak-1.0_1.14.10-1~deb12u2_mips64el.deb
 dd17751475a64c813aaa775edb6273ff 69328 libdevel optional libflatpak-dev_1.14.10-1~deb12u2_mips64el.deb
 bf7ce2d1c4d6028051db10af4c43acd2 1642844 debug optional libflatpak0-dbgsym_1.14.10-1~deb12u2_mips64el.deb
 0bc488e6f0c7729cfa4eb69d7436578f 302528 libs optional libflatpak0_1.14.10-1~deb12u2_mips64el.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7sd7jtCtE5bBJ1Hx/qmHKZssfSAFAmnnOqAACgkQ/qmHKZss
fSCmyA//TbhsI2187OixlSs0MSBroO/lERKZ4YGeUZdCnoCUeuW21P0nNjV2q9PP
vlVoLwuImIr/1y7KLUkYHe4lNH3FLhcvnv3lN1WDKCUMOK2xbgHr6BZ7E+zDrNk0
TjUJXypdH4o4K5Hcz/Asp67L5SjWAC78TxPtm34t/jkFNwMbFNhEEJDXmWlH/iPS
jh9TH6CpkNzSA0HT9YNOmFFZDVh3TtkdsYROzlXtxCOxgaCotf9pxV0OVggsoqFS
9GtIpwItvG3MuDP6BC4HZ1Lt0y291b7XOvUB8no6AIzISiANFcWoAuXaeo7+U/ID
qboeRuQZwKJIgyqINIKjqEuKsBnLv8lWnCb9tA5fMyVlICZffMluFIxlrCS/EYRf
6IBBnA0ar6lXPNdSzuFovNqVMB85/rxJumeTeIbx8MiGOCZ5LqxCDOjEqNg49Skj
jqCG2xDrhbdpn9VyG0qeCPk9qBsgSA03dDugQ83jPlKiUSreRm3ylgTJggWefv+z
pMFvUbr/2jleo1ydHHWImbeEAstMqLxXwVUnwljFMObcgltJYSWO6HjNXTKmtoHm
Jzob1P0jIXG4UkA6qtxjTdB1ERY/ewDdsafytlwogtDfY7kMO6dkf5AcWCNVHQT8
Ce5nGs5w01SLJ5ZC+ZDqZoH7xEfpg7Sy+IHZ4nFN5OUUTu64KCw=
=xpMk
-----END PGP SIGNATURE-----