References: https://www.openwall.com/lists/oss-security/2026/04/09/3 https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp https://github.com/flatpak/flatpak/security/advisories/GHSA-2fxp-43j9-pwvc https://github.com/flatpak/flatpak/security/advisories/GHSA-89xm-3m96-w3jg
CVE: (none) => CVE-2026-34078, CVE-2026-34079Flags: (none) => affects_mga9+Source RPM: (none) => flatpak-1.16.3-1.mga10.src.rpm, flatpak-1.14.10-1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 1.16.5Whiteboard: (none) => MGA9TOO
For Cauldron, I asked for a freeze move.
Whiteboard: MGA9TOO => (none)Flags: affects_mga9+ => (none)Source RPM: flatpak-1.16.3-1.mga10.src.rpm, flatpak-1.14.10-1.mga9.src.rpm => flatpak-1.14.10-1.mga9.src.rpmVersion: Cauldron => 9
Version 1.16.5 caused some regressions, for instance, chromium does not work. See: https://github.com/flatpak/flatpak/issues/6582 https://github.com/flatpak/flatpak/issues/6583 https://github.com/flatpak/flatpak/issues/6584
For Cauldron, I asked for a freeze move of version 1.16.6, which fixes those regressions.
Status comment: Fixed upstream in 1.16.5 => Fixed upstream in 1.16.6
Thanks again to Nicolas, Cauldron done; leaves M9.
Assignee: bugsquad => pkg-bugs
This is listed as critical security. Can the mga9 1.14 version be updated or do this need an upgrade to 1.16?
CC: (none) => fri
Debian has issued an advisory on April 22: https://lists.debian.org/debian-security-announce/2026/msg00133.html
Status comment: Fixed upstream in 1.16.6 => Fixed upstream in 1.16.6 and patches available from Debian
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Complete sandbox escape leading to host file access and code execution in the host context. (CVE-2026-34078) Arbitrary file deletion on the host filesystem. (CVE-2026-34079) References: https://www.openwall.com/lists/oss-security/2026/04/09/3 https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp https://github.com/flatpak/flatpak/security/advisories/GHSA-2fxp-43j9-pwvc https://github.com/flatpak/flatpak/security/advisories/GHSA-89xm-3m96-w3jg https://lists.debian.org/debian-security-announce/2026/msg00133.html ======================== Updated packages in core/updates_testing: ======================== flatpak-1.14.10-1.1.mga9 flatpak-tests-1.14.10-1.1.mga9 lib64flatpak-devel-1.14.10-1.1.mga9 lib64flatpak-gir1.0-1.14.10-1.1.mga9 lib64flatpak0-1.14.10-1.1.mga9 from SRPM: flatpak-1.14.10-1.1.mga9.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 1.16.6 and patches available from Debian => (none)
No installation issues. Tested with Discover to update my SurfShark VPN app with no issues. Also installed Space Cadet Pinball from Flathub with no issues, played a game. Looks OK. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA9-64-OKFlags: (none) => test_passed_mga9_64+
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0133.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Yep OK for me too 64 bit, our released backport kernel 6.18.4-desktop-3.stabletesting flatpak update flatpak remove --unused Used Cromium and Signal Launch tests of Zoom, KiCad, FreeFileSync