bubblewrap (0.8.0-2) unstable; urgency=medium
* Upload to unstable.
The changes since 0.7.0 are small, and if a Flatpak vulnerability
similar to CVE-2021-41133 is reported during the Debian 12 release
lifetime, having the new --disable-userns option will give us more
options for how to prevent it.
-- Simon McVittie <smcv@debian.org> Tue, 28 Feb 2023 09:38:53 +0000
bubblewrap (0.8.0-1) experimental; urgency=medium
* New upstream release
* d/p/test-run-Filter-out-no-new-privs-in-capsh-output.patch:
Drop patch that was applied upstream
* d/p/tests-Explicitly-unshare-userns-when-testing-disable-user.patch,
d/p/tests-Try-harder-to-evade-disable-userns.patch:
Add proposed patches to fix test failure when run as root
-- Simon McVittie <smcv@debian.org> Mon, 27 Feb 2023 12:30:28 +0000
bubblewrap (0.7.0-2) unstable; urgency=medium
* d/p/test-run-Filter-out-no-new-privs-in-capsh-output.patch:
Add patch from upstream to fix test failure with newer capsh
* Update standards version to 4.6.2 (no changes needed)
* Remove version constraints unnecessary since buster (oldstable)
-- Simon McVittie <smcv@debian.org> Wed, 11 Jan 2023 18:30:16 +0000
bubblewrap (0.7.0-1) unstable; urgency=medium
* New upstream release
* Standards-Version: 4.6.1 (no changes required)
* d/watch: Adapt to Github web page changes
* d/control: Add test dependencies to Build-Depends.
We can't run build-time tests in locked-down buildd chroots, but we can
run them in privileged Docker containers on Salsa-CI, which will need
these extra packages.
-- Simon McVittie <smcv@debian.org> Mon, 07 Nov 2022 17:57:24 +0000
bubblewrap (0.6.2-1) unstable; urgency=medium
* New upstream release
-- Simon McVittie <smcv@debian.org> Wed, 11 May 2022 15:07:05 +0100
bubblewrap (0.6.1-1) unstable; urgency=medium
* New upstream release
* Build using Meson
-- Simon McVittie <smcv@debian.org> Fri, 25 Feb 2022 17:46:05 +0000
bubblewrap (0.6.0-1) unstable; urgency=medium
* New upstream release
-- Simon McVittie <smcv@debian.org> Thu, 24 Feb 2022 14:39:45 +0000
bubblewrap (0.5.0-1) unstable; urgency=medium
* New upstream release
- Drop patches that were applied upstream
* Standards-Version: 4.6.0 (no changes required)
* Use recommended debhelper compat level 13
- No need to check for DEB_BUILD_OPTIONS=nocheck any more
* Release to unstable
-- Simon McVittie <smcv@debian.org> Fri, 20 Aug 2021 16:19:25 +0100
bubblewrap (0.4.1+git20210624-1) experimental; urgency=medium
* Branch for experimental
* New upstream git snapshot
- When creating mount points for files, create them read-only
- Allow mounting a non-directory over any existing non-directory,
non-symlink, in particular mounting a socket over a socket
- Add zsh completion
- Cope better with case-insensitive filesystems
- Better error messages when failing to mount a filesystem
- New --clearenv option
- New --perms option allows control over permissions of --bind-data,
--dir (if newly-created), --file, --ro-bind-data and --tmpfs
- New --chmod option
- Better test coverage
- Better zsh completion
- Drop most patches, applied upstream
* d/README.Debian: Clarify when a setuid bwrap was normally used
* d/rules: Don't install bash completion as an executable script
* d/p/build-Fix-installation-of-zsh-completions-in-user-specifi.patch,
d/p/completions-Don-t-start-bash-completion-with.patch:
Add patches to fix shell completions
-- Simon McVittie <smcv@debian.org> Mon, 28 Jun 2021 14:37:50 +0100
bubblewrap (0.4.1-3) unstable; urgency=medium
* Stop making /usr/bin/bwrap setuid root.
With Debian kernels >= 5.10, this is no longer necessary: unprivileged
users can now create user namespaces, the same as in upstream kernels
and Ubuntu.
For smooth upgrades, install a sysctl configuration fragment that will
configure older kernels to behave similarly if the recommended procps
package is installed, or if booting with systemd. (Closes: #977841)
- This change also makes more Flatpak features available; in
particular, it is necessary for the Chromium browser.
(Closes: #977758)
* Include setuid status, etc. in bug reports
-- Simon McVittie <smcv@debian.org> Sun, 03 Jan 2021 14:13:01 +0000
bubblewrap (0.4.1-2) unstable; urgency=medium
* d/gbp.conf: Rename development branch to debian/latest
* Standards-Version: 4.5.1 (no changes required)
* Reference CVE-2020-5291 in previous changelog entry
* Add some bugfix patches from upstream
- Correct the name of PR_SET_NO_NEW_PRIVS in an error message
- Silence warnings from the kernel when a non-Y2038-compliant
filesystem such as xfs is remounted into the sandbox
- Don't fail if /proc is read-only, as it can be inside Docker
* Forward python3 patch upstream
* d/control: Canonicalize case of Multi-Arch
* Add a patch to fix typos in the man page
* Add a README.Debian describing ways in which bubblewrap can be used
* Add patch to include Debian-specific links in EPERM error message
-- Simon McVittie <smcv@debian.org> Fri, 01 Jan 2021 15:31:11 +0000
bubblewrap (0.4.1-1) unstable; urgency=high
* New upstream release
- Fixes a root privilege escalation vulnerability introduced in 0.4.0,
in cases where the kernel allows creation of user namespaces by
unprivileged users and bwrap is (unnecessarily) setuid root.
Debian systems are vulnerable if
/proc/sys/kernel/unprivileged_userns_clone (default 0) has been
changed to 1, or if using an upstream kernel instead of a Debian
kernel.
Ubuntu systems are not normally vulnerable, because bwrap is not
normally setuid there.
(GHSA-j2qp-rvxj-43vj, CVE-2020-5291)
- Fixes test failure with libcap >= 2.29 (Closes: #951577)
* Update various URLs from https://github.com/projectatomic/bubblewrap
to https://github.com/containers/bubblewrap
* Set upstream metadata fields: Repository.
* Remove obsolete field Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Standards-Version: 4.5.0 (no changes required)
* d/tests/control: Qualify CLI tools with :native.
Thanks to Steve Langasek (Closes: #948617)
-- Simon McVittie <smcv@debian.org> Mon, 30 Mar 2020 14:33:54 +0100
bubblewrap (0.4.0-1) unstable; urgency=medium
* New upstream release
* Use debhelper-compat 12
* Standards-Version: 4.4.1 (no changes required)
-- Simon McVittie <smcv@debian.org> Thu, 28 Nov 2019 11:14:41 +0000
bubblewrap (0.3.3-2) unstable; urgency=medium
* Release to unstable
* d/salsa-ci.yml: Request standard CI on salsa.debian.org
* d/rules: Disable any active LD_PRELOAD hacks while running tests.
These will typically assume a fully-featured OS (for example faketime
assumes sem_open() will work), but bubblewrap is a low-level tool
that temporarily operates in a container that is only partially
functional (for example /dev/shm isn't always mounted).
* Standards-Version: 4.4.0 (no changes required)
-- Simon McVittie <smcv@debian.org> Tue, 09 Jul 2019 09:34:53 +0100
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog bubblewrap`.
Generated by dwww version 1.15 on Thu Jun 27 22:43:55 CEST 2024.