-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1582
                          flatpak security update
                               23 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           flatpak
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Linux variants
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-9780  

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3895

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running flatpak check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3895-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
June 22, 2017                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : flatpak
CVE ID         : CVE-2017-9780

It was discovered that Flatpak, an application deployment framework for
desktop apps insufficiently restricted file permissinons in third-party
repositories, which could result in privilege escalation.

For the stable distribution (stretch), this problem has been fixed in
version 0.8.5-2+deb9u1.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.7-1.

We recommend that you upgrade your flatpak packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAllMARwACgkQEMKTtsN8
TjbZ6hAAoKoaQJvsB3JLNm0oIhMJ6FLNDZhBRBH7uD1DWOZAVk+YNK/m+4Q0O9yq
+w1TrsFHI1MYhM/FSXhVP4L2RENaGGCYscpZLxRVOi0AuYprjsFL49LKqZC8RdQY
VaUlJWl90R2WPZcNSmuI2Q3reav6nPxDPdZfb2PK8Drg7JVda2DroJk/PF6gql7P
+4JZ4FoPgCjb6q9yZQWypJ74lBLYEBkQT3I/4iOnLHNU3iOiZ2XsIo7d/kvMmH7q
EldGivROFw3t9q/MlyaIYaeh6UOBg0C6aijJczVwhWlQ8G7jOSUrlN8DnsbX/2Wu
x5yaAkZFnur0F1FQ3zJoH9sKLkjCWOw0UlRhf2AV1HXuptvjB0De7R6km2g4cFbv
ykPL0ljHbdUNG9DlXQpr+yUSPeqh7d16Qhwhf8QBgcRlbo4Q7Z536k77G33bQask
D0r4HZ3GH/SizY4eX2smDGGdZ51YarqJvt5t18+E4r5vwe8/wd9zBadf9/iuMK5B
rUiQ1QbaEC2xwXKMe2sxnC1PLAW8Xqx8Vwb6SFeRqFQIGe1F1FnBSxONjMUgx6Z/
l3NUdLqyVBfjrS5paL113a4sWtskwO9NHTpQnJBD4hXDLTLi6kdR4aQfFhDf3dd4
wgai9t5njMLkFjPpQE2GcZ+Aite8ylDovudXYAVuOjW7sNNFz+A=
=StXu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWUxS+4x+lLeg9Ub1AQjg5g/6AkVqcDVZc14SNAARv6psK1Rh6yPcgBFG
rw7MGfeprKNtM4zGnjsP13PzGSNRlPeAonKGeLfYR3AqFbgBERoCGw2ZRoL4LMDY
Tm+46LSOPfWdk13uOOVyI8Mz0QqZHVJXvLt3WJVknU4L9cH9uPTbJoorAbmRJFsg
hbwYoGpd+IlwnvEiPszedaqFcUKh0Hqx26DbBmY1CJhQ6o5b6KZTOJOQjFwMKlyA
2qHn8FRTsG3iBdJjf2YDD6N2WEiyQVZ1ovKOMnD1u4ekP+3Sb8E0T8GcEiEX0RsK
bb4HL+tWrSMw8uDUGaGGCQWdV9OH1ypRp+ORLa1G+QHYsuV4o3WoSqlMoZlUDP4A
amM6/RhOXAoacRnSJygJu+/5pX86vpKS0z9b97UHqQgirpUll+k/LwjEXorrI/fs
38mwzylNZK8pOdvSWJ2oe286kO/2ArIFH4uLly2koWkesiV5pOUYatNV4lVoMtiz
jrZtcZ9b/8Wz+8luQ8X9HoX4jial82xcy0bd/yO4UDsqBJnKV+o6A530C3RQJq80
J7wR1QOmr1j0xCw4v53aNr0Pv5NReNwGWVmf+5MtGrkrX7Z+3NE7wwgeP0S23n1a
pfMwC1YjeSn4TSldpgsAPH/uNMZoK3Is1n/dJYijgLJ1r+JNac02fX1Qo/WZtn0E
3mEHGLWINBc=
=eIB+
-----END PGP SIGNATURE-----