bubblewrap (0.1.7-1~bpo8+1) jessie-backports; urgency=medium * Rebuild for jessie-backports - debian/gbp.conf: adjust for this branch -- Simon McVittie Mon, 27 Feb 2017 11:05:06 +0000 bubblewrap (0.1.7-1) unstable; urgency=medium * New upstream release - effectively the same as 0.1.6-2 - drop all patches -- Simon McVittie Thu, 19 Jan 2017 14:33:46 +0000 bubblewrap (0.1.6-2) unstable; urgency=medium * d/p/Make-the-call-to-setsid-optional-with-new-session.patch: Add patch from upstream to make the setsid() that addresses CVE-2017-5226 optional, because it breaks interactive shells. Users of bubblewrap to confine untrusted programs should either add --new-session to the bwrap command line, or prevent the TIOCSTI ioctl with a seccomp filter instead (as Flatpak does). - d/control: add Breaks on versions of Flatpak that did not load the necessary seccomp filter to prevent CVE-2017-5226 * d/p/demos-bubblewrap-shell.sh-Unshare-all-namespaces.patch: Add patch from upstream to improve example code * d/p/Call-setsid-and-setexeccon-befor-forking-the-init-monitor.patch, d/p/Install-seccomp-filter-at-the-very-end.patch: Add patches from upstream to re-order initialization. This means the seccomp filter is no longer required to account for syscalls that are made by bwrap itself. * d/p/Add-unshare-all-and-share-net.patch: Add patch from upstream introducing new command line options --unshare-all and --share-net, for a more whitelist-based approach to sharing namespaces with the parent. -- Simon McVittie Wed, 18 Jan 2017 00:56:19 +0000 bubblewrap (0.1.6-1) unstable; urgency=medium * New upstream release - drop the only patch, applied upstream * debian/patches: update to upstream master for additional fixes to SIGCHLD handling and documentation, and improved hardening against being able to obtain capabilities * debian/bubblewrap.examples: install upstream examples -- Simon McVittie Sat, 14 Jan 2017 22:18:09 +0000 bubblewrap (0.1.5-2~bpo8+1) jessie-backports; urgency=medium * Rebuild for jessie-backports - debian/gbp.conf: adjust for this branch -- Simon McVittie Mon, 09 Jan 2017 18:19:10 +0000 bubblewrap (0.1.5-2) unstable; urgency=high * d/p/Call-setsid-before-executing-sandboxed-code-CVE-2017-5226.patch: Call setsid() before executing sandboxed code, preventing a sandboxed executable invoked with a controlling terminal (for example in Flatpak) from escalating its privileges by injecting keypresses into the controlling terminal with the TIOCSTI ioctl. (Closes: #850702; CVE-2017-5226) * d/control: remove Maintainer status from Laszlo Boszormenyi at his request. Add him to Uploaders instead, and hand the package over to the Utopia Maintenance Team (the same as OSTree and Flatpak). -- Simon McVittie Mon, 09 Jan 2017 18:09:54 +0000 bubblewrap (0.1.5-1) unstable; urgency=medium * New upstream release - drop all patches, applied upstream - debian/copyright: update for build system additions -- Simon McVittie Tue, 20 Dec 2016 11:25:23 +0000 bubblewrap (0.1.4-2~bpo8+1) jessie-backports; urgency=medium * Rebuild for jessie-backports - debian/gbp.conf: adjust for this branch -- Simon McVittie Mon, 12 Dec 2016 16:12:30 +0000 bubblewrap (0.1.4-2) unstable; urgency=medium * d/tests/*: only run tests on a real or virtual machine, not in a container. bubblewrap is effectively already a container, and nesting containers doesn't work particularly well. Unfortunately this means the tests won't work on ci.debian.net, which uses LXC. -- Simon McVittie Thu, 01 Dec 2016 12:42:33 +0000 bubblewrap (0.1.4-1) unstable; urgency=medium * New upstream release * d/p/test-run-be-a-bash-script.patch, d/p/test-run-don-t-assume-we-are-uid-1000.patch, d/p/Adapt-tests-so-they-can-be-run-against-installed-binaries.patch, d/p/Fix-incorrect-nesting-of-backticks-when-finding-a-FUSE-mo.patch: improve the upstream tests * d/tests/upstream: run the upstream tests as autopkgtests * d/rules: Do not enable setuid mode at configure time. If we do, we can't run the build-time tests, and it no longer makes any difference to the actual code. Make the executable setuid via Debian packaging instead. -- Simon McVittie Tue, 29 Nov 2016 12:55:31 +0000 bubblewrap (0.1.3-1~bpo8+1) jessie-backports; urgency=medium * Rebuild for jessie-backports - debian/gbp.conf: adjust for this branch -- Simon McVittie Sun, 20 Nov 2016 12:24:03 +0000 bubblewrap (0.1.3-1) unstable; urgency=medium * New upstream release - bring back --set-hostname, the upstream fix for CVE-2016-8659 makes it no longer a vulnerability -- Simon McVittie Sun, 16 Oct 2016 14:32:11 +0100 bubblewrap (0.1.2-2~bpo8+1) jessie-backports; urgency=high * Rebuild for jessie-backports - debian/gbp.conf: adjust for this branch -- Simon McVittie Thu, 13 Oct 2016 22:09:36 +0100 bubblewrap (0.1.2-2) unstable; urgency=high * Revert addition of --set-hostname as a short-term fix for CVE-2016-8659 (Closes: #840605) -- Simon McVittie Thu, 13 Oct 2016 11:12:38 +0100 bubblewrap (0.1.2-1~bpo8+1) jessie-backports; urgency=medium * Rebuild for jessie-backports, to support a Flatpak backport. - debian/gbp.conf: adjust for this branch -- Simon McVittie Tue, 27 Sep 2016 16:23:46 +0100 bubblewrap (0.1.2-1) unstable; urgency=medium * New upstream release -- Simon McVittie Fri, 09 Sep 2016 09:22:57 +0100 bubblewrap (0.1.1-1) unstable; urgency=medium * New upstream release - drop patch, included upstream -- Simon McVittie Sun, 17 Jul 2016 09:08:35 +0100 bubblewrap (0.1.0-3) unstable; urgency=medium * d/control: bubblewrap is Multi-Arch: foreign * Hardening: build as a position-independent executable with eager symbol binding -- Simon McVittie Wed, 06 Jul 2016 11:07:32 +0100 bubblewrap (0.1.0-2) unstable; urgency=medium * Run basic and dev autopkgtests in addition to userns * Really add the regression test for keeping CAP_NET_ADMIN * debian/gbp.conf: add DEP-14-style git-buildpackage configuration * Normalize package lists via `wrap-and-sort -abst` * Add Vcs-Git, Vcs-Browser metadata * d/p/build-put-libraries-in-LDADD-not-LDFLAGS.patch: new patch fixing linking with -Wl,--as-needed (closes: #826787) -- Simon McVittie Tue, 14 Jun 2016 16:28:09 -0400 bubblewrap (0.1.0-1) unstable; urgency=low * New upstream release (closes: #826358). * Add watch file. * Add Simon McVittie as uploader. [ Simon McVittie ] * debian/copyright: correct package name and source (closes: #824969) * debian/control: make the whole package Linux-only. Like Flatpak, this package is inherently non-portable. * Move from Section: web to Section: admin * Increase Priority to optional, because this tool is likely to be depended on by gnome-software (via Flatpak) in future * Add some simple autopkgtests, including one for bug 71 (closes: #824968) -- Laszlo Boszormenyi (GCS) Mon, 06 Jun 2016 17:20:38 +0000 bubblewrap (0~git160513-2) unstable; urgency=low * Install bwrap binary setuid (closes: #824646). * Make libselinux1-dev build dependency Linux only. -- Laszlo Boszormenyi (GCS) Thu, 19 May 2016 15:24:35 +0000 bubblewrap (0~git160513-1) unstable; urgency=low * Initial upload (closes: #823548). -- Laszlo Boszormenyi (GCS) Tue, 10 May 2016 08:45:59 +0000