Public bug reported: Another bubblewrap security issue. This has been fixed in Debian and upstream in both bubblewrap and Flatpak which need to be updated at the same time.
I've been wanting to update Flatpak to 0.8 anyway (LP: #1656712) since December but was waiting to get bubblewrap taken care of first to make it simpler. Now I guess we'll do it all together. There are three affected packages in yakkety: - bubblewrap - flatpak - ostree (new version needed for new flatpak) I'll attach debdiffs here for them. I propose we do like the last bubblewrap update and build these as security updates but age them for 7 days first like SRUs. ** Affects: bubblewrap (Ubuntu) Importance: Undecided Status: New ** Affects: flatpak (Ubuntu) Importance: Undecided Status: New ** Tags: yakkety ** Also affects: bubblewrap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1657357 Title: bubblewrap escape via TIOCSTI ioctl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1657357/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs