bubblewrap (0.1.7-0ubuntu0.16.10.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: bubblewrap escape via TIOCSTI ioctl (LP: #1657357)
    - Fixed in new upstream release 0.1.7 by adding --new-session
      option that use setsid() before executing sandboxed code.
      Users of bubblewrap to confine untrusted programs should either
      add --new-session to the bwrap command line, or prevent the
      TIOCSTI ioctl with a seccomp filter instead (as Flatpak does).
    - New upstream release also adds --unshare-all option to easily
      sandbox all namespaces. A --share-net option can be used with
      --unshare-all to retain the network namespace.
    - CVE-2017-5226
  * debian/bubblewrap.examples: install upstream examples

 -- Jeremy Bicha <jbicha@ubuntu.com>  Thu, 19 Jan 2017 21:31:11 -0500

bubblewrap (0.1.5-1~ubuntu16.10.0) yakkety-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via ptrace (LP: #1643734)
    - Fixed in new upstream release 0.1.3
    - 0.1.4 further protects against possible ptrace attacks by dropping
      setcaps support and working around the Linux kernel allowing ptrace
      in user namespaces
    - CVE-2016-8659
  * Backport 0.1.5-1 from zesty for minor packaging improvements

 -- Jeremy Bicha <jbicha@ubuntu.com>  Wed, 21 Dec 2016 12:43:27 -0500

bubblewrap (0.1.5-1) unstable; urgency=medium

  * New upstream release
    - drop all patches, applied upstream
    - debian/copyright: update for build system additions

 -- Simon McVittie <smcv@debian.org>  Tue, 20 Dec 2016 11:25:23 +0000

bubblewrap (0.1.4-2) unstable; urgency=medium

  * d/tests/*: only run tests on a real or virtual machine, not in a
    container. bubblewrap is effectively already a container, and
    nesting containers doesn't work particularly well.
    Unfortunately this means the tests won't work on ci.debian.net,
    which uses LXC.

 -- Simon McVittie <smcv@debian.org>  Thu, 01 Dec 2016 12:42:33 +0000

bubblewrap (0.1.4-1) unstable; urgency=medium

  * New upstream release
  * d/p/test-run-be-a-bash-script.patch,
    d/p/test-run-don-t-assume-we-are-uid-1000.patch,
    d/p/Adapt-tests-so-they-can-be-run-against-installed-binaries.patch,
    d/p/Fix-incorrect-nesting-of-backticks-when-finding-a-FUSE-mo.patch:
    improve the upstream tests
  * d/tests/upstream: run the upstream tests as autopkgtests
  * d/rules: Do not enable setuid mode at configure time. If we do, we
    can't run the build-time tests, and it no longer makes any difference
    to the actual code. Make the executable setuid via Debian packaging
    instead.

 -- Simon McVittie <smcv@debian.org>  Tue, 29 Nov 2016 12:55:31 +0000

bubblewrap (0.1.3-1) unstable; urgency=medium

  * New upstream release
    - bring back --set-hostname, the upstream fix for CVE-2016-8659
      makes it no longer a vulnerability

 -- Simon McVittie <smcv@debian.org>  Sun, 16 Oct 2016 14:32:11 +0100

bubblewrap (0.1.2-2) unstable; urgency=high

  * Revert addition of --set-hostname as a short-term fix for
    CVE-2016-8659 (Closes: #840605)

 -- Simon McVittie <smcv@debian.org>  Thu, 13 Oct 2016 11:12:38 +0100

bubblewrap (0.1.2-1) unstable; urgency=medium

  * New upstream release

 -- Simon McVittie <smcv@debian.org>  Fri, 09 Sep 2016 09:22:57 +0100

bubblewrap (0.1.1-1) unstable; urgency=medium

  * New upstream release
    - drop patch, included upstream

 -- Simon McVittie <smcv@debian.org>  Sun, 17 Jul 2016 09:08:35 +0100

bubblewrap (0.1.0-3) unstable; urgency=medium

  * d/control: bubblewrap is Multi-Arch: foreign
  * Hardening: build as a position-independent executable with
    eager symbol binding

 -- Simon McVittie <smcv@debian.org>  Wed, 06 Jul 2016 11:07:32 +0100

bubblewrap (0.1.0-2) unstable; urgency=medium

  * Run basic and dev autopkgtests in addition to userns
  * Really add the regression test for keeping CAP_NET_ADMIN
  * debian/gbp.conf: add DEP-14-style git-buildpackage configuration
  * Normalize package lists via `wrap-and-sort -abst`
  * Add Vcs-Git, Vcs-Browser metadata
  * d/p/build-put-libraries-in-LDADD-not-LDFLAGS.patch: new patch
    fixing linking with -Wl,--as-needed (closes: #826787)

 -- Simon McVittie <smcv@debian.org>  Tue, 14 Jun 2016 16:28:09 -0400

bubblewrap (0.1.0-1) unstable; urgency=low

  * New upstream release (closes: #826358).
  * Add watch file.
  * Add Simon McVittie as uploader.

  [ Simon McVittie <smcv@debian.org> ]
  * debian/copyright: correct package name and source (closes: #824969)
  * debian/control: make the whole package Linux-only. Like Flatpak, this
    package is inherently non-portable.
  * Move from Section: web to Section: admin
  * Increase Priority to optional, because this tool is likely to be
    depended on by gnome-software (via Flatpak) in future
  * Add some simple autopkgtests, including one for bug 71 (closes: #824968)

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 06 Jun 2016 17:20:38 +0000

bubblewrap (0~git160513-2) unstable; urgency=low

  * Install bwrap binary setuid (closes: #824646).
  * Make libselinux1-dev build dependency Linux only.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 19 May 2016 15:24:35 +0000

bubblewrap (0~git160513-1) unstable; urgency=low

  * Initial upload (closes: #823548).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 10 May 2016 08:45:59 +0000
