** Description changed: + Impact + ====== + bubblewrap 0.1.3 and 0.1.4 fix a security vulnerability. 0.1.5 has some minor improvements but also fixes the tests. + + https://github.com/projectatomic/bubblewrap/releases + + Test Case + ========= + I'm not familiar enough with the code to have a test case for this. + + Regression Potential + ==================== + Low because bubblewrap is currently only used by Flatpak. The Flatpak developers very strongly recommend updating bubblewrap to at least 0.1.4 but 0.1.5 fixes a few more issues. + + See LP: #1649330 where there is some interest in using bubblewrap for + some snap apps. + + + Other Info + ========== + I just copied the Debian packaging from 0.1.5-1. The Debian packaging only updates debian/copyright and makes improvements to the build tests and autopkgtests. + + Original Bug Report + =================== + The bubblewrap package in yakkety (16.10) has a local privilege escalation vulnerability that's been fixed in upstream for a while. Debian has moved on to 0.1.3, but they had a 0.1.2-2 for a while that patched the vulnerability at a loss of functionality. https://github.com/projectatomic/bubblewrap/issues/107 https://packages.qa.debian.org/b/bubblewrap.html Note: I don't use Ubuntu, but software I maintain depends on bubblewrap, and having old known insecure packages is bad for my users.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1643734 Title: privilege escalation via ptrace (CVE-2016-8659) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1643734/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
