Changelog
bubblewrap (0.1.6-2) unstable; urgency=medium
* d/p/Make-the-call-to-setsid-optional-with-new-session.patch:
Add patch from upstream to make the setsid() that addresses
CVE-2017-5226 optional, because it breaks interactive shells.
Users of bubblewrap to confine untrusted programs should either
add --new-session to the bwrap command line, or prevent the
TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
- d/control: add Breaks on versions of Flatpak that did not
load the necessary seccomp filter to prevent CVE-2017-5226
* d/p/demos-bubblewrap-shell.sh-Unshare-all-namespaces.patch:
Add patch from upstream to improve example code
* d/p/Call-setsid-and-setexeccon-befor-forking-the-init-monitor.patch,
d/p/Install-seccomp-filter-at-the-very-end.patch:
Add patches from upstream to re-order initialization. This means
the seccomp filter is no longer required to account for syscalls that
are made by bwrap itself.
* d/p/Add-unshare-all-and-share-net.patch:
Add patch from upstream introducing new command line options
--unshare-all and --share-net, for a more whitelist-based approach
to sharing namespaces with the parent.
-- Simon McVittie <email address hidden> Wed, 18 Jan 2017 00:56:19 +0000