This is an "old-stable" update for users of the Flatpak 1.8.x branch, such as Red Hat Enterprise Linux 8. In environments that do not need to stay on a specific branch, updating to the newest stable version instead of using this version is recommended. At the time of writing, the newest stable version is 1.12.4.
This is a security update that fixes two issues that were found in flatpak:
GHSA-qpjc-vq3c-572j
(also known as CVE-2021-43860)
This issue is about the possibility for a malicious repository to send
invalid application metadata in a way that hides some of the app
permissions displayed during installation.
GHSA-8ch7-5j3h-g4fx
(also known as CVE-2022-21682)
This issue is a problem with how flatpak-builder uses flatpak, that
can cause flatpak-builder --mirror-screenshots-url commands to be
allowed to create directories outside of the build directory.
The fix for this is is the addition of a new option
--nofilesystem=host:reset, which in addition to behaving like
--nofilesystem=host, the new option prevents filesystem permissions
from being inherited from the app manifest.
$ sha256sum flatpak-1.8.7.tar.xz
9d082c81fa733382fc5688b880941e6c82ec671b0a4a4f875b5d66c091a224c3 flatpak-1.8.7.tar.xz