File _patchinfo of Package patchinfo.28336

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.28336

<patchinfo incident="28336">
  <issue tracker="bnc" id="1209410">VUL-0: CVE-2023-28101: flatpak: Metadata with ANSI control codes can cause misleading terminal output</issue>
  <issue tracker="bnc" id="1209411">VUL-0: CVE-2023-28100: flatpak: TIOCLINUX can send commands outside sandbox if running on a virtual console</issue>
  <issue tracker="cve" id="2023-28101"/>
  <issue tracker="cve" id="2023-28100"/>
  <packager>JonathanKang</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for flatpak</summary>
  <description>This update for flatpak fixes the following issues:

- CVE-2023-28101: Fixed misleading terminal output with metadata with ANSI control codes (bsc#1209410).
- CVE-2023-28100: Fixed unsandboxed TIOCLINUX commands (bsc#1209411).

Update to version 1.10.8:

- If an app update is blocked by parental controls policies,
  clean up the temporary deploy directory
- Fix Autotools build with versions of gpgme that no longer
  provide gpgme-config(1)
- Fix regressions in `flatpak history` since 1.9.1
  + Don't display the appstream branch used internally
  + Don't display temporary repositories used internally
  + Ignore transaction log entries with empty REF field
  + Warn instead of failing if other non-app, non-runtime refs are found
  + Don't set up an unnecessary polkit agent for `flatpak history`
  + Add test coverage
- Fix a typo in an error message
- Fix incorrect year in NEWS for 1.10.7 release
- Translation update: pl
- Add test coverage for Flatpak's seccomp filters
</description>
</patchinfo>

Places

File _patchinfo of Package patchinfo.28336

Places