NEWS, configure.ac: Update for version 1.14.10

Signed-off-by: Simon McVittie <[email protected]>
flatpak · Aug 14, 2024 · 9ad26d7 · 9ad26d7
1 parent 7c63e53
commit 9ad26d7
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/NEWS b/NEWS
@@ -1,11 +1,30 @@
-Changes in 1.14.9
-~~~~~~~~~~~~~~~~~
-Released: not yet
+Changes in 1.14.10
+~~~~~~~~~~~~~~~~~~
+Released: 2024-08-14
+
+Dependencies:
+
+ * In distributions that compile Flatpak to use a separate bubblewrap (bwrap)
+   executable, either version 0.10.0, version 0.6.x ≥ 0.6.3, or a version
+   with a backport of the --bind-fd option is required.
+   These versions add a new feature which is required by the security fix
+   in this release.
+
+Security fixes:
+
+ * Don't follow symbolic links when mounting persistent directories
+   (--persist option). This prevents a sandbox escape where a malicious or
+   compromised app could edit the symlink to point to a directory that
+   the app should not have been allowed to read or write.
+   (CVE-2024-42472, GHSA-7hgv-f2j8-xw87)
 
 Documentation:
 
  * Mark the 1.12.x and 1.10.x branches as end-of-life (#5352)
 
+Version 1.14.9 was not released due to an incompatibility with older
+versions of GLib. Version 1.14.10 replaces it.
+
 Changes in 1.14.8
 ~~~~~~~~~~~~~~~~~
 Released: 2024-04-30

diff --git a/configure.ac b/configure.ac
@@ -15,7 +15,7 @@ AC_PREREQ([2.63])
 
 m4_define([flatpak_major_version], [1])
 m4_define([flatpak_minor_version], [14])
-m4_define([flatpak_micro_version], [8])
+m4_define([flatpak_micro_version], [10])
 m4_define([flatpak_extra_version], [])
 m4_define([flatpak_interface_age], [0])
 m4_define([flatpak_binary_age],