Jeff, that's just how Launchpad is configured. Sorry.
But there is a better way to look for security issues in a package than
trying to navigate Launchpad:
https://ubuntu.com/security/cves?package=flatpak
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
The Ubuntu packages turned out to be safe, but administrators of high
security environments should still reach out privately for an assessment
done by adding a test repository. Please make this issue private, it's
confusing for users, making my work harder.
--
You received this bug notification
While I'm not fully familiar with how things are done here, is it really
sensible that the "Fix Released" status prevents search on the main page
from even finding this issue?
We aren't far from the upstream fixes being available for a week already
without any of the supported releases of Ubuntu
This also affects focal, bionic, and older LTS suites.
If it's possible to update focal to 1.12.9 from the upstream 1.12.x
stable branch, that would also resolve LP: #2063034 and LP: #2063035.
There isn't much point in the upstream developers doing 1.12.x releases
if distributions aren't going to
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: flatpak (Ubuntu Jammy)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: flatpak (Ubuntu Mantic)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-32462
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406
Title:
CVE-2024-32462: Sandbox escape via RequestBackground portal and
I'm not working on the stable security updates now but I opened tasks
for them in case someone else wants to contribute.
** Also affects: flatpak (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: flatpak (Ubuntu Mantic)
Importance: Undecided
Status: New
--
Covering just Noble isn't really enough with Mantic and Jammy still providing
vulnerable packages according to the advisory listing affected versions as:
- < 1.10.9
- 1.12.x < 1.12.9
- 1.14.x < 1.14.6
- 1.15.x < 1.15.8
--
You received this bug notification because you are a member of Ubuntu
I'm manually closing the bug now since it was accepted into noble-
proposed without a LP bug number. I'll watch to make sure it migrates to
noble release
https://launchpad.net/ubuntu/+source/flatpak/1.14.6-1
** Changed in: flatpak (Ubuntu)
Status: Fix Committed => Fix Released
--
You
** Changed in: flatpak (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2062406
Title:
CVE-2024-32462: Sandbox escape via RequestBackground portal
** Tags added: noble upgrade-software-version
** Description changed:
Upstream advisory:
https://github.com/flatpak/flatpak/security/advisories/GHSA-
phv6-cpc2-2fgj
If possible please sync 1.14.6-1 from Debian instead of backporting
fixes. That version only fixes the security issue
** Changed in: flatpak (Ubuntu)
Status: New => In Progress
** Changed in: flatpak (Ubuntu)
Assignee: (unassigned) => Jeremy Bícha (jbicha)
** Changed in: flatpak (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs,
13 matches
Mail list logo
