File: changelog

package info (click to toggle)
bubblewrap 0.1.7-1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 412 kB
  • ctags: 207
  • sloc: ansic: 2,714; xml: 296; sh: 259; makefile: 42
file content (168 lines) | stat: -rw-r--r-- 6,635 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 
bubblewrap (0.1.7-1) unstable; urgency=medium

  * New upstream release
    - effectively the same as 0.1.6-2
    - drop all patches

 -- Simon McVittie <smcv@debian.org>  Thu, 19 Jan 2017 14:33:46 +0000

bubblewrap (0.1.6-2) unstable; urgency=medium

  * d/p/Make-the-call-to-setsid-optional-with-new-session.patch:
    Add patch from upstream to make the setsid() that addresses
    CVE-2017-5226 optional, because it breaks interactive shells.
    Users of bubblewrap to confine untrusted programs should either
    add --new-session to the bwrap command line, or prevent the
    TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
    - d/control: add Breaks on versions of Flatpak that did not
      load the necessary seccomp filter to prevent CVE-2017-5226
  * d/p/demos-bubblewrap-shell.sh-Unshare-all-namespaces.patch:
    Add patch from upstream to improve example code
  * d/p/Call-setsid-and-setexeccon-befor-forking-the-init-monitor.patch,
    d/p/Install-seccomp-filter-at-the-very-end.patch:
    Add patches from upstream to re-order initialization. This means
    the seccomp filter is no longer required to account for syscalls that
    are made by bwrap itself.
  * d/p/Add-unshare-all-and-share-net.patch:
    Add patch from upstream introducing new command line options
    --unshare-all and --share-net, for a more whitelist-based approach
    to sharing namespaces with the parent.

 -- Simon McVittie <smcv@debian.org>  Wed, 18 Jan 2017 00:56:19 +0000

bubblewrap (0.1.6-1) unstable; urgency=medium

  * New upstream release
    - drop the only patch, applied upstream
  * debian/patches: update to upstream master for additional fixes
    to SIGCHLD handling and documentation, and improved hardening
    against being able to obtain capabilities
  * debian/bubblewrap.examples: install upstream examples

 -- Simon McVittie <smcv@debian.org>  Sat, 14 Jan 2017 22:18:09 +0000

bubblewrap (0.1.5-2) unstable; urgency=high

  * d/p/Call-setsid-before-executing-sandboxed-code-CVE-2017-5226.patch:
    Call setsid() before executing sandboxed code, preventing a
    sandboxed executable invoked with a controlling terminal (for
    example in Flatpak) from escalating its privileges by injecting
    keypresses into the controlling terminal with the TIOCSTI
    ioctl. (Closes: #850702; CVE-2017-5226)
  * d/control: remove Maintainer status from Laszlo Boszormenyi at his
    request. Add him to Uploaders instead, and hand the package over
    to the Utopia Maintenance Team (the same as OSTree and Flatpak).

 -- Simon McVittie <smcv@debian.org>  Mon, 09 Jan 2017 18:09:54 +0000

bubblewrap (0.1.5-1) unstable; urgency=medium

  * New upstream release
    - drop all patches, applied upstream
    - debian/copyright: update for build system additions

 -- Simon McVittie <smcv@debian.org>  Tue, 20 Dec 2016 11:25:23 +0000

bubblewrap (0.1.4-2) unstable; urgency=medium

  * d/tests/*: only run tests on a real or virtual machine, not in a
    container. bubblewrap is effectively already a container, and
    nesting containers doesn't work particularly well.
    Unfortunately this means the tests won't work on ci.debian.net,
    which uses LXC.

 -- Simon McVittie <smcv@debian.org>  Thu, 01 Dec 2016 12:42:33 +0000

bubblewrap (0.1.4-1) unstable; urgency=medium

  * New upstream release
  * d/p/test-run-be-a-bash-script.patch,
    d/p/test-run-don-t-assume-we-are-uid-1000.patch,
    d/p/Adapt-tests-so-they-can-be-run-against-installed-binaries.patch,
    d/p/Fix-incorrect-nesting-of-backticks-when-finding-a-FUSE-mo.patch:
    improve the upstream tests
  * d/tests/upstream: run the upstream tests as autopkgtests
  * d/rules: Do not enable setuid mode at configure time. If we do, we
    can't run the build-time tests, and it no longer makes any difference
    to the actual code. Make the executable setuid via Debian packaging
    instead.

 -- Simon McVittie <smcv@debian.org>  Tue, 29 Nov 2016 12:55:31 +0000

bubblewrap (0.1.3-1) unstable; urgency=medium

  * New upstream release
    - bring back --set-hostname, the upstream fix for CVE-2016-8659
      makes it no longer a vulnerability

 -- Simon McVittie <smcv@debian.org>  Sun, 16 Oct 2016 14:32:11 +0100

bubblewrap (0.1.2-2) unstable; urgency=high

  * Revert addition of --set-hostname as a short-term fix for
    CVE-2016-8659 (Closes: #840605)

 -- Simon McVittie <smcv@debian.org>  Thu, 13 Oct 2016 11:12:38 +0100

bubblewrap (0.1.2-1) unstable; urgency=medium

  * New upstream release

 -- Simon McVittie <smcv@debian.org>  Fri, 09 Sep 2016 09:22:57 +0100

bubblewrap (0.1.1-1) unstable; urgency=medium

  * New upstream release
    - drop patch, included upstream

 -- Simon McVittie <smcv@debian.org>  Sun, 17 Jul 2016 09:08:35 +0100

bubblewrap (0.1.0-3) unstable; urgency=medium

  * d/control: bubblewrap is Multi-Arch: foreign
  * Hardening: build as a position-independent executable with
    eager symbol binding

 -- Simon McVittie <smcv@debian.org>  Wed, 06 Jul 2016 11:07:32 +0100

bubblewrap (0.1.0-2) unstable; urgency=medium

  * Run basic and dev autopkgtests in addition to userns
  * Really add the regression test for keeping CAP_NET_ADMIN
  * debian/gbp.conf: add DEP-14-style git-buildpackage configuration
  * Normalize package lists via `wrap-and-sort -abst`
  * Add Vcs-Git, Vcs-Browser metadata
  * d/p/build-put-libraries-in-LDADD-not-LDFLAGS.patch: new patch
    fixing linking with -Wl,--as-needed (closes: #826787)

 -- Simon McVittie <smcv@debian.org>  Tue, 14 Jun 2016 16:28:09 -0400

bubblewrap (0.1.0-1) unstable; urgency=low

  * New upstream release (closes: #826358).
  * Add watch file.
  * Add Simon McVittie as uploader.

  [ Simon McVittie <smcv@debian.org> ]
  * debian/copyright: correct package name and source (closes: #824969)
  * debian/control: make the whole package Linux-only. Like Flatpak, this
    package is inherently non-portable.
  * Move from Section: web to Section: admin
  * Increase Priority to optional, because this tool is likely to be
    depended on by gnome-software (via Flatpak) in future
  * Add some simple autopkgtests, including one for bug 71 (closes: #824968)

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 06 Jun 2016 17:20:38 +0000

bubblewrap (0~git160513-2) unstable; urgency=low

  * Install bwrap binary setuid (closes: #824646).
  * Make libselinux1-dev build dependency Linux only.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 19 May 2016 15:24:35 +0000

bubblewrap (0~git160513-1) unstable; urgency=low

  * Initial upload (closes: #823548).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 10 May 2016 08:45:59 +0000