Format: 1.8
Date: Fri, 10 Apr 2026 20:03:53 +0100
Source: flatpak
Architecture: source
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha1:
 960ff1b37d283cb8e6ae37f6429a4cdaee4a63c9 2858 flatpak_1.16.6-1~deb13u1.dsc
 1154e7c0756c558c929e7cdb680ffff37036507c 42712 flatpak_1.16.6-1~deb13u1.debian.tar.xz
 93ff9ff26f3371446ed93beb4596acb5ae35f6a7 14067 flatpak_1.16.6-1~deb13u1_source.buildinfo
Checksums-Sha256:
 a8c2082be18f7b9a2a1752ea41867bec6e2b69f2b5a183e9449a00718e702bd6 2858 flatpak_1.16.6-1~deb13u1.dsc
 9cc40d786426b525aaac0a5791bd7e53907e6f4412b885d0d05f3c25fb65bb8d 42712 flatpak_1.16.6-1~deb13u1.debian.tar.xz
 82d66b0cb2531e8edadbe90d01de0b3fde940aa00d99a5c8efb5603a15849b26 14067 flatpak_1.16.6-1~deb13u1_source.buildinfo
Files:
 1f8b96c629f250a3a8abab7d9cd5bead 2858 admin optional flatpak_1.16.6-1~deb13u1.dsc
 bfb96ae3f07c04f0671d28bf981eb3a2 42712 admin optional flatpak_1.16.6-1~deb13u1.debian.tar.xz
 3f6f5426cea28c86b66a813e1527eaec 14067 admin optional flatpak_1.16.6-1~deb13u1_source.buildinfo