Security update for flatpak

Announcement ID:	SUSE-SU-2023:1714-1
Rating:	important
References:	bsc#1209410 bsc#1209411
Cross-References:	CVE-2023-28100 CVE-2023-28101
CVSS scores:	CVE-2023-28100 ( SUSE ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2023-28100 ( NVD ): 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H CVE-2023-28101 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N CVE-2023-28101 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected Products:	SUSE Enterprise Storage 7 SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3

An update that solves two vulnerabilities can now be installed.

Description:

This update for flatpak fixes the following issues:

CVE-2023-28101: Fixed misleading terminal output with metadata with ANSI control codes (bsc#1209410).
CVE-2023-28100: Fixed unsandboxed TIOCLINUX commands (bsc#1209411).

Update to version 1.10.8:

If an app update is blocked by parental controls policies, clean up the temporary deploy directory
Fix Autotools build with versions of gpgme that no longer provide gpgme-config(1)
Fix regressions in flatpak history since 1.9.1
Don't display the appstream branch used internally
Don't display temporary repositories used internally
Ignore transaction log entries with empty REF field
Warn instead of failing if other non-app, non-runtime refs are found
Don't set up an unnecessary polkit agent for flatpak history
Add test coverage
Fix a typo in an error message
Fix incorrect year in NEWS for 1.10.7 release
Translation update: pl
Add test coverage for Flatpak's seccomp filters

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-1714=1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-1714=1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-1714=1
SUSE Linux Enterprise Real Time 15 SP3
zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-1714=1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-1714=1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-1714=1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-1714=1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-1714=1
SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2023-1714=1
SUSE Enterprise Storage 7
zypper in -t patch SUSE-Storage-7-2023-1714=1

Package List:

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Linux Enterprise Real Time 15 SP3 (x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Enterprise Storage 7.1 (aarch64 x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1
SUSE Enterprise Storage 7 (aarch64 x86_64)
- flatpak-1.10.8-150200.4.15.1
- flatpak-debugsource-1.10.8-150200.4.15.1
- flatpak-zsh-completion-1.10.8-150200.4.15.1
- libflatpak0-1.10.8-150200.4.15.1
- libflatpak0-debuginfo-1.10.8-150200.4.15.1
- flatpak-devel-1.10.8-150200.4.15.1
- system-user-flatpak-1.10.8-150200.4.15.1
- typelib-1_0-Flatpak-1_0-1.10.8-150200.4.15.1
- flatpak-debuginfo-1.10.8-150200.4.15.1

Security update for flatpak

Description:

Patch Instructions:

Package List:

References: