CVE-2024-42472 was announced here: https://openwall.com/lists/oss-security/2024/08/14/6 Mageia 9 is also affected. The problem is fixed in versions 1.15.10 (Cauldron) and 1.14.10 (Mageia 9).
CVE: (none) => CVE-2024-42472Whiteboard: (none) => MGA9TOOSource RPM: (none) => flatpak-1.15.8-1.mga10.src.rpm, flatpak-1.14.6-1.mga9.src.rpm
Assigning to the registered maintainer, CC'ing the de facto maintainer
CC: (none) => geiger.david68210, marja11Assignee: bugsquad => mageia
Source RPM: flatpak-1.15.8-1.mga10.src.rpm, flatpak-1.14.6-1.mga9.src.rpm => flatpak-1.15.8-4.mga10.src.rpm, flatpak-1.14.6-1.mga9.src.rpm
Is neoclust still in mageia? I not hear anything of him these days
CC: (none) => pkg-bugs
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Source RPM: flatpak-1.15.8-4.mga10.src.rpm, flatpak-1.14.6-1.mga9.src.rpm => flatpak-1.14.6-1.mga9.src.rpm
Suggested advisory: ======================== The updated packages fix a security vulnerability: Flatpak may allow access to files outside sandbox for certain apps. (CVE-2024-42472) References: https://openwall.com/lists/oss-security/2024/08/14/6 ======================== Updated packages in core/updates_testing: ======================== bubblewrap-0.7.0-1.1.mga9 flatpak-1.14.10-1.mga9 flatpak-tests-1.14.10-1.mga9 lib(64)flatpak-devel-1.14.10-1.mga9 lib(64)flatpak-gir1.0-1.14.10-1.mga9 lib(64)flatpak0-1.14.10-1.mga9 from SRPMS: bubblewrap-0.7.0-1.1.mga9.src.rpm flatpak-1.14.10-1.mga9.src.rpm
Status: NEW => ASSIGNEDAssignee: mageia => qa-bugs
mga9-64 Strange: flatpak Firefox works in our current version, but not this update, see below Updated all packages in testing repo, still running on kernel-desktop-6.6.105-1. System details in https://bugs.mageia.org/show_bug.cgi?id=34408#c25 For this updated to: - flatpak-1.14.10-1.mga9.x86_64 - lib64flatpak-gir1.0-1.14.10-1.mga9.x86_64 - lib64flatpak0-1.14.10-1.mga9.x86_64 Tests OK: $ flatpak update -> Updated some flatpackages OK __Used installed flatpak programs: § KiCad: Launches OK (have not learned to use it yet) § Chromium: Surfing OK § Firefox: Do not launch at all: [morgan@svarten ~]$ flatpak run org.mozilla.firefox (flatpak run:170595): GLib-GIO-WARNING **: 16:35:39.592: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here. Only the non-desktop-specific mimeapps.list file may add or remove associations. bwrap: Unknown option --bind-fd After reverting the update using [morgan@svarten ~]$ sudo urpmi --downgrade flatpak-1.14.6-1.mga9 -> Firefox works. [morgan@svarten ~]$ flatpak list | grep firef Firefox org.mozilla.firefox 145.0 stable flathub user
CC: (none) => friKeywords: (none) => feedback
You need to update bubblewrap too.
Keywords: feedback => (none)
Keywords: (none) => advisory
Ah thanks, I jumped too far into the rpm list! Firefox OK and also tested a few more apps. BTW now running kernel linus 6.6.116 mga9-64 OK here
MGA9-64 Plasma, i5-7500,Nvidia Quadro K620 graphics (nvidia-current). No installation issues. Ran Discover, checked for updates, found two that were relevant - Space Cadet Pinball and the Surfshark VPN app. I updated those, seemingly without issues. The Surfshark app worked as it should, but the pinball simulation has a regression in that it now doesn't work in maximized or full screen mode. Only part of the screen is shown. And if you try to expand the game window from the non-maximized state, the window expands but the game doesn't. Game play is normal in the smaller window. I do not believe this regression has anything to do with the flatpak update, but with rather the game I updated with it, so I'm giving this an OK, and validating.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0303.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED