Description of problem: The main change in this version is a fix for a regression in the progress calculation for applications using extra-data. Additionally the bundled version of bubblewrap is updated to 0.4.1 which fixes a security issue in some cases. See: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj for details. Other changes: Updated translations Don't break if users primary gid is not in the nsswitch database Fix crash in flatpak repair if no remotes are configured Some updates to the oci authenticator Retry downloads of extra data Also, latest flatpak version is Release 1.8.1.
Cauldron (mga8a1) current version is flatpak-1.6.2 which has vulnerability.
CVE: (none) => CVE-2020-5291
Assignee: bugsquad => ngompa13
We don't bundle bubblewrap, we build against the system one. Upstream advisory says only 0.4.0 is affected, so we're not affected.
Source RPM: flatpak-1.6.2-1.mga8.src.rpm => bubblewrap-0.3.3-1.mga7.src.rpmVersion: Cauldron => 7URL: https://github.com/flatpak/flatpak/releases => (none)Resolution: (none) => INVALIDSummary: Bundled bubblewrap is updated upstream to 0.4.1 which fixes a security issue in some cases. => bubblewrap new security issue CVE-2020-5291Status: NEW => RESOLVEDStatus comment: (none) => Fixed upstream in 0.4.1
*** Bug 27732 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu