mirror of
https://github.com/flatpak/flatpak.git
synced 2026-04-07 00:26:56 -04:00
Update NEWS for release
This commit is contained in:
Alexander Larsson
25
NEWS
25
NEWS
@@ -1,3 +1,28 @@
|
||||
Changes in 1.8.7
|
||||
~~~~~~~~~~~~~~~~
|
||||
Released: 2022-02-03
|
||||
|
||||
This is a security update that fixes two issues that were found in flatpak:
|
||||
|
||||
https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
|
||||
(also known as CVE-2021-43860)
|
||||
|
||||
This issue is about the possibility for a malicious repository to send
|
||||
invalid application metadata in a way that hides some of the app
|
||||
permissions displayed during installation.
|
||||
|
||||
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
|
||||
(also known as CVE-2022-21682)
|
||||
|
||||
This issue is a problem with how flatpak-builder uses flatpak, that
|
||||
can cause `flatpak-builder --mirror-screenshots-url` commands to be
|
||||
allowed to create directories outside of the build directory.
|
||||
|
||||
The fix for this is is the addition of a new option
|
||||
`--nofilesystem=host:reset`, which in addition to behaving like
|
||||
`--nofilesystem=host`, the new option prevents filesystem permissions
|
||||
from being inherited from the app manifest.
|
||||
|
||||
Changes in 1.8.6
|
||||
~~~~~~~~~~~~~~~~
|
||||
Released: 2022-01-24
|
||||
|
||||
Reference in New Issue
Block a user