flatpak (1.15.10-1) [PTS] [DDPO]

COMMITS: VCS has seen 2 commits since the debian/1.15.10-1 tag

Git: https://salsa.debian.org/debian/flatpak.git -b debian/experimental
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: debian/experimental
Path: debian/changelog
Repo size: 3997696
Browser: https://salsa.debian.org/debian/flatpak
Last scan: 2024-11-17 18:37:31+00
Next scan: 2024-11-23 05:02:00+00
CI pipeline status: failed

Debian changelog in Git:

flatpak (1.15.10-1) experimental; urgency=high

  * New upstream development release
    - Don't follow symbolic links when mounting persistent directories
      (--persist option). This prevents a sandbox escape where a malicious
      or compromised app could edit the symlink to point to a directory
      that the app should not have been allowed to read or write.
      (CVE-2024-42472, GHSA-7hgv-f2j8-xw87)
  * d/control: Bump required bubblewrap version to 0.10.0.
    This adds the new --bind-fd option, required to solve CVE-2024-42472
    without introducing a race condition.

 -- Simon McVittie <smcv@debian.org>  Wed, 14 Aug 2024 11:00:52 +0100

This branch is 2 commits ahead of tag debian/1.15.10-1

Git log:

commit 28a396f8483abc4586e4502a4da00b7701c3908d
Author: Simon McVittie <smcv@debian.org>
Date:   Sat Aug 17 17:14:34 2024 +0100

    d/upstream/metadata: Add Security-Contact
    
    See also https://github.com/flatpak/flatpak/blob/main/SECURITY.md
    
    (cherry picked from commit 1e482c6677800eff885ac2ac251063435725f5d4)

commit 899bc67c0ae2390e41f566a2f90eab8a5a6bb35f
Author: Simon McVittie <smcv@debian.org>
Date:   Sat Aug 17 17:13:22 2024 +0100

    d/upstream/metadata: Canonicalize sort order of keys
    
    (cherry picked from commit 94dffc8e2db9cc845e49e7bcdddc4101e26acb0c)