-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 10 Apr 2026 20:03:53 +0100
Source: flatpak
Binary: flatpak flatpak-dbgsym flatpak-tests flatpak-tests-dbgsym gir1.2-flatpak-1.0 libflatpak-dev libflatpak0 libflatpak0-dbgsym
Architecture: arm64
Version: 1.16.6-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: arm Build Daemon (arm-ubc-06) <buildd_arm64-arm-ubc-06@buildd.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 flatpak    - Application deployment framework for desktop apps
 flatpak-tests - Application deployment framework for desktop apps (tests)
 gir1.2-flatpak-1.0 - Application deployment framework for desktop apps (introspection)
 libflatpak-dev - Application deployment framework for desktop apps (development)
 libflatpak0 - Application deployment framework for desktop apps (library)
Closes: 1132943 1132944 1132945 1132946
Changes:
 flatpak (1.16.6-1~deb13u1) trixie-security; urgency=high
 .
   * Backport new upstream stable release for Debian 13
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
     - Various fixes for regressions caused when fixing CVE-2026-34078
   * Revert changes that are not appropriate for a stable update:
     - Revert "d/watch: Convert to v5 format, only watch stable
       (even-numbered) releases"
     - Revert "Standards-Version: 4.7.3"
Checksums-Sha1:
 e6ca136a142a4217e984930b8df774a73aadb770 7540620 flatpak-dbgsym_1.16.6-1~deb13u1_arm64.deb
 8bfe0f158473a26bd151a4829b771ddcfdd2dc47 10724796 flatpak-tests-dbgsym_1.16.6-1~deb13u1_arm64.deb
 099cb5b5d4fe2cc1f49deed337176ebae2e98271 1303148 flatpak-tests_1.16.6-1~deb13u1_arm64.deb
 c76e9b9d949024084d51595944ebcd20dd5ac700 17201 flatpak_1.16.6-1~deb13u1_arm64-buildd.buildinfo
 c351c1185eb7b92d07706da2c66f6636a4cc0fea 1468700 flatpak_1.16.6-1~deb13u1_arm64.deb
 f50d25e94353aa0e71440f6477abf493f43fba76 28108 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_arm64.deb
 e43c997323fb0e96f94442d46866a528606a6619 72348 libflatpak-dev_1.16.6-1~deb13u1_arm64.deb
 0f9cada770c52d58b38b0faac8837fa26357ba9f 1740628 libflatpak0-dbgsym_1.16.6-1~deb13u1_arm64.deb
 f3c833d86bd758b381fd23197020ad028d778583 348748 libflatpak0_1.16.6-1~deb13u1_arm64.deb
Checksums-Sha256:
 5c76f8109dbd81134257dc91e4c6398c13d343c37d37ca8ae1fea237bdb4a24c 7540620 flatpak-dbgsym_1.16.6-1~deb13u1_arm64.deb
 9b63cc44139a4dee81fee1296cbb91848e8e335f0e5ba39f562280474d65d19e 10724796 flatpak-tests-dbgsym_1.16.6-1~deb13u1_arm64.deb
 0d9337203d06905795e0b1c3f698d4f8c2da8ed836289155e615eac4847e06a9 1303148 flatpak-tests_1.16.6-1~deb13u1_arm64.deb
 fba8e028e4872fe48c203e26260f3d742196825916dac4a703dd3e736ef3ca87 17201 flatpak_1.16.6-1~deb13u1_arm64-buildd.buildinfo
 6e3bc163719631c4b4e3b7542c9732cf5b81864c3aaad9773684d7efc6b45f68 1468700 flatpak_1.16.6-1~deb13u1_arm64.deb
 4b2afe680e59a4a7f399b174256e0554ab029c34b7984c6c313d27b6ed5d6af7 28108 gir1.2-flatpak-1.0_1.16.6-1~deb13u1_arm64.deb
 824c6f195dffcad1f7b7e5be91784fd53c4d19e3f29c4b3f6b9e213025375fd7 72348 libflatpak-dev_1.16.6-1~deb13u1_arm64.deb
 68575458980f0919794acdaaece1e4db7f7a1c563d3f6603690bbd5c8462e20c 1740628 libflatpak0-dbgsym_1.16.6-1~deb13u1_arm64.deb
 9ef71eea8e0c9f801539935a1a16d4122152257de77fdc3699dc805455175659 348748 libflatpak0_1.16.6-1~deb13u1_arm64.deb
Files:
 6fe2318793b336378634ca57cd0620f6 7540620 debug optional flatpak-dbgsym_1.16.6-1~deb13u1_arm64.deb
 0afcac2b202e9c0e1647dff07a36e3ca 10724796 debug optional flatpak-tests-dbgsym_1.16.6-1~deb13u1_arm64.deb
 77f881707c8d7ee6e93c3cdbb22ebacb 1303148 misc optional flatpak-tests_1.16.6-1~deb13u1_arm64.deb
 3eae53b00e33dd254a40186b89d07f95 17201 admin optional flatpak_1.16.6-1~deb13u1_arm64-buildd.buildinfo
 f131cf8d50028c5d1492ae809a50a782 1468700 admin optional flatpak_1.16.6-1~deb13u1_arm64.deb
 325a25fe2159da86e2548d55db2ad442 28108 introspection optional gir1.2-flatpak-1.0_1.16.6-1~deb13u1_arm64.deb
 e32fb2d158ec92b74c85325505719e27 72348 libdevel optional libflatpak-dev_1.16.6-1~deb13u1_arm64.deb
 d0942b2e0fc662fbc936c20e5ee58c66 1740628 debug optional libflatpak0-dbgsym_1.16.6-1~deb13u1_arm64.deb
 75d6df87494d5ea393de7b212cda57ff 348748 libs optional libflatpak0_1.16.6-1~deb13u1_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEpxWVfktWxVoKRwGgJ7tNDw2WyRsFAmnZhZ0ACgkQJ7tNDw2W
yRsdig/+IJBkut+3EaJ7QP2py+6S2nZHiGqNphxm8ZF2iKasTY7zlpyCtLHonboc
TSvsW3e9ZFudmRtCFPMondcCUSIS2jmPi4IXJ8g9ACYrztQeldgAtxCRy05m32rL
jkEn8dcUJ8mB/4+MBrkb2jeuSvqhL843L2sHvn+kGlI1egOvopQgXRNkEMrYnHwn
QWoHYwEcpXQQ0y6TO9/txYmii4L1uXJJDXUgy2YlHIAlHAdjJgEvY2x5/IuOb+Ri
+MowPRCEjNtDilfk3SDQnv6nWitSnjvyLPxxTNr4ta+MSIqDgahkjGSZOkDLUkAT
jIa6HO0U1/3pPaiudc958KiFsNYaxCcEJKRHVRosV62NSL5JQ8SZnPV6PgNipD10
6kErH86NIjFGNemGermuBBz7OY8K6Vh9bGiMotbOSNCODwbx2GGMTdSynQByNwsl
J75NbJjyQy7KvrvKdb15FuxtyeLdCLaOHrtA3/Qaow26oVcQ5Riy8SmIvgFe4DUX
3sj90WoaXl5IPESEZ6CgroZuJ+c0ALNML3JMXiNRM7AiMs8syx90o/TGj6t/TCG1
jkFnxPfMO+fc2p2pda5BKiQAv77Lo9hW3GfAC1YUxfvVHMbGO8WSi3zo+naKxJTQ
thwEwyB0s38g1FlixOxJ5o2XyvjeZt3YYPVwiVGYGu9hKMAS8oI=
=zGki
-----END PGP SIGNATURE-----