Alexander Larsson announced the release of Flatpak 1.12.3, the latest version of the popular open-source Linux app sandboxing and distribution framework. The third maintenance update fixes two critical security updates, including CVE-2021-43860. The flaw allows a malicious repository to send invalid application metadata that hides some app permissions while installing. The other vulnerability can enable “flatpak-builder –mirror-screenshots-url” command to create directories outside of the build directory.
More PulseAudio configurations
The latest release also improves support for more PulseAudio configurations, including the one used in WSL2. Flatpak 1.12.3 provides better handling of updates of extensions that exist in multiple repositories and “Flatpak run –session-bus” now works.
In the latest release, Extra-data downloading can handle compressed content-encodings properly, which fixes checksum verification. Flatpak 1.12.3 can be downloaded from its official GitHub page.
Notable changes:
- Extra-data downloading now properly handles compressed content-encodings which fixes checksum verification
- Avoid unnecessary policy-kit dialog due to auto-pinning when installing runtimes
- Better handling of updates of extensions that exist in multiple repositories
- Fixed (initial) installation apps with renamed ids
- Support more PulseAudio configuration, including the one used in WSL2
- Fixed regression in updates from no-enumerate remotes
- We now verify checksums of summary caches, to better handle local file corruption
- Improved CLI output for non-terminal targets
- Flatpak run –session-bus now works
- Fix build with PyParsing >= 3.0.4
- Fixed “Since” annotations on FlatpakTransaction signals
- bash auto-completion now doesn’t complete on command name aliases
- Minor improvements to the search command
- Minor improvements to the list command
- Minor improvements to the repair command
- Add more tests
- Updated translations and docs