bubblewrap (0.6.1-1ubuntu0.1) jammy-security; urgency=medium
* This is expected to be included in 0.10.0, and is necessary to resolve
CVE-2024-42472 in Flatpak without introducing a potentially exploitable
race condition.
-- Leonidas Da Silva Barbosa <leo.barbosa@canonical.com> Mon, 23 Sep 2024 12:52:33 -0300
bubblewrap (0.6.1-1) unstable; urgency=medium
* New upstream release
* Build using Meson
-- Simon McVittie <smcv@debian.org> Fri, 25 Feb 2022 17:46:05 +0000
bubblewrap (0.6.0-1) unstable; urgency=medium
* New upstream release
-- Simon McVittie <smcv@debian.org> Thu, 24 Feb 2022 14:39:45 +0000
bubblewrap (0.5.0-1) unstable; urgency=medium
* New upstream release
- Drop patches that were applied upstream
* Standards-Version: 4.6.0 (no changes required)
* Use recommended debhelper compat level 13
- No need to check for DEB_BUILD_OPTIONS=nocheck any more
* Release to unstable
-- Simon McVittie <smcv@debian.org> Fri, 20 Aug 2021 16:19:25 +0100
bubblewrap (0.4.1+git20210624-1) experimental; urgency=medium
* Branch for experimental
* New upstream git snapshot
- When creating mount points for files, create them read-only
- Allow mounting a non-directory over any existing non-directory,
non-symlink, in particular mounting a socket over a socket
- Add zsh completion
- Cope better with case-insensitive filesystems
- Better error messages when failing to mount a filesystem
- New --clearenv option
- New --perms option allows control over permissions of --bind-data,
--dir (if newly-created), --file, --ro-bind-data and --tmpfs
- New --chmod option
- Better test coverage
- Better zsh completion
- Drop most patches, applied upstream
* d/README.Debian: Clarify when a setuid bwrap was normally used
* d/rules: Don't install bash completion as an executable script
* d/p/build-Fix-installation-of-zsh-completions-in-user-specifi.patch,
d/p/completions-Don-t-start-bash-completion-with.patch:
Add patches to fix shell completions
-- Simon McVittie <smcv@debian.org> Mon, 28 Jun 2021 14:37:50 +0100
bubblewrap (0.4.1-3) unstable; urgency=medium
* Stop making /usr/bin/bwrap setuid root.
With Debian kernels >= 5.10, this is no longer necessary: unprivileged
users can now create user namespaces, the same as in upstream kernels
and Ubuntu.
For smooth upgrades, install a sysctl configuration fragment that will
configure older kernels to behave similarly if the recommended procps
package is installed, or if booting with systemd. (Closes: #977841)
- This change also makes more Flatpak features available; in
particular, it is necessary for the Chromium browser.
(Closes: #977758)
* Include setuid status, etc. in bug reports
-- Simon McVittie <smcv@debian.org> Sun, 03 Jan 2021 14:13:01 +0000
bubblewrap (0.4.1-2) unstable; urgency=medium
* d/gbp.conf: Rename development branch to debian/latest
* Standards-Version: 4.5.1 (no changes required)
* Reference CVE-2020-5291 in previous changelog entry
* Add some bugfix patches from upstream
- Correct the name of PR_SET_NO_NEW_PRIVS in an error message
- Silence warnings from the kernel when a non-Y2038-compliant
filesystem such as xfs is remounted into the sandbox
- Don't fail if /proc is read-only, as it can be inside Docker
* Forward python3 patch upstream
* d/control: Canonicalize case of Multi-Arch
* Add a patch to fix typos in the man page
* Add a README.Debian describing ways in which bubblewrap can be used
* Add patch to include Debian-specific links in EPERM error message
-- Simon McVittie <smcv@debian.org> Fri, 01 Jan 2021 15:31:11 +0000
bubblewrap (0.4.1-1) unstable; urgency=high
* New upstream release
- Fixes a root privilege escalation vulnerability introduced in 0.4.0,
in cases where the kernel allows creation of user namespaces by
unprivileged users and bwrap is (unnecessarily) setuid root.
Debian systems are vulnerable if
/proc/sys/kernel/unprivileged_userns_clone (default 0) has been
changed to 1, or if using an upstream kernel instead of a Debian
kernel.
Ubuntu systems are not normally vulnerable, because bwrap is not
normally setuid there.
(GHSA-j2qp-rvxj-43vj, CVE-2020-5291)
- Fixes test failure with libcap >= 2.29 (Closes: #951577)
* Update various URLs from https://github.com/projectatomic/bubblewrap
to https://github.com/containers/bubblewrap
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
* d/tests/control: Qualify CLI tools with :native.
Thanks to Steve Langasek (Closes: #948617)
-- Simon McVittie <smcv@debian.org> Mon, 30 Mar 2020 14:33:54 +0100
bubblewrap (0.4.0-1) unstable; urgency=medium
* New upstream release
* Use debhelper-compat 12
* Standards-Version: 4.4.1 (no changes required)
-- Simon McVittie <smcv@debian.org> Thu, 28 Nov 2019 11:14:41 +0000
bubblewrap (0.3.3-2) unstable; urgency=medium
* Release to unstable
* d/salsa-ci.yml: Request standard CI on salsa.debian.org
* d/rules: Disable any active LD_PRELOAD hacks while running tests.
These will typically assume a fully-featured OS (for example faketime
assumes sem_open() will work), but bubblewrap is a low-level tool
that temporarily operates in a container that is only partially
functional (for example /dev/shm isn't always mounted).
* Standards-Version: 4.4.0 (no changes required)
-- Simon McVittie <smcv@debian.org> Tue, 09 Jul 2019 09:34:53 +0100
# For older changelog entries, run 'apt-get changelog bubblewrap'
Generated by dwww version 1.14 on Sun Feb 2 13:37:57 CET 2025.