docbook-xml (4.5-14) unstable; urgency=medium
 .
   * New maintainer. (Closes: #802368)
   * debian/control:
     - Change Maintainer to Ahmed Alaoui.
     - Drop Priority and Rules-Requires-Root (now defaults).
     - Bump Standards-Version from 4.7.0 to 4.7.4.
   * debian/patches: Add DEP-3 headers with Forwarded: not-needed
     to all 10 patches.
   * debian/watch: Add comment about frozen upstream and 522 error.
   * debian/upstream/metadata: Add new file.

flatpak (1.18.0-1) unstable; urgency=medium
 .
   [ Simon McVittie ]
   * New upstream release
   * d/p/dir-Use-flatpak_bwrap_child_setup_inherit_fds_cb-to-apply.patch:
     Drop patch, applied upstream
   * Revert "d/control, d/gbp.conf, d/watch: Watch for upstream development
     snapshots"
   * d/libflatpak0.symbols: Add one new symbol
   * d/libflatpak0.symbols: Use stable release versions for all symbols.
     For each symbol added in a development branch, generate dependencies
     as though it had been added in the stable release that followed.
   * Release to unstable
 .
   [ Luca Boccassi ]
   * Switch from adduser to dh-sequence-installsysusers
 .
 flatpak (1.17.6-1) experimental; urgency=medium
 .
   * New upstream release
     - Incorporate security fixes previously in 1.17.3-2
     - Fix regressions caused by fixing CVE-2026-34078
       (Closes: #1132960, #1132968)
   * Drop patches that were included in the upstream release
   * d/p/dir-Use-flatpak_bwrap_child_setup_inherit_fds_cb-to-apply.patch:
     Add patch from upstream to silence a spurious warning when installing
     apps that use extra-data
   * Merge changelog from unstable
flatpak (1.17.6-1) experimental; urgency=medium
 .
   * New upstream release
     - Incorporate security fixes previously in 1.17.3-2
     - Fix regressions caused by fixing CVE-2026-34078
       (Closes: #1132960, #1132968)
   * Drop patches that were included in the upstream release
   * d/p/dir-Use-flatpak_bwrap_child_setup_inherit_fds_cb-to-apply.patch:
     Add patch from upstream to silence a spurious warning when installing
     apps that use extra-data
   * Merge changelog from unstable
flatpak (1.17.3-2) experimental; urgency=high
 .
   * d/p/CVE-2026-34078/*.patch:
     Fix a sandbox escape involving symlinks passed to flatpak-portal.
     A malicious or compromised Flatpak app could exploit this to achieve
     arbitrary code execution on the host.
     (CVE-2026-34078, GHSA-cc2q-qc34-jprg) (Closes: #1132943)
   * d/p/CVE-2026-34079/*.patch:
     Prevent arbitrary file deletion outside the sandbox by a malicious or
     compromised Flatpak app
     (CVE-2026-34079, GHSA-p29x-r292-46pp) (Closes: #1132944)
   * d/p/GHSA-89xm-3m96-w3jg/*.patch:
     Prevent a local user from making another local user unable to cancel
     an ongoing download of apps or runtimes installed system-wide
     via the system helper.
     (No CVE ID, GHSA-89xm-3m96-w3jg) (Closes: #1132945)
   * d/p/GHSA-2fxp-43j9-pwvc/*.patch:
     Prevent a local user from reading any file that is readable by the
     _flatpak system user. A mitigation is that it would be very unusual
     for these files not to be readable by the original local user as well.
     (No CVE ID, GHSA-2fxp-43j9-pwvc) (Closes: #1132946)
   * Merge packaging changes from unstable
   * Standards-Version: 4.7.4 (no changes required)
 .
 flatpak (1.16.4-1) unstable; urgency=high
 .
   * New upstream security release
     - Fix a sandbox escape involving symlinks passed to flatpak-portal.
       A malicious or compromised Flatpak app could exploit this to achieve
       arbitrary code execution on the host.
       (CVE-2026-34078, GHSA-cc2q-qc34-jprg)
     - Prevent arbitrary file deletion outside the sandbox by a malicious or
       compromised Flatpak app
       (CVE-2026-34079, GHSA-p29x-r292-46pp)
     - Prevent a local user from reading any file that is readable by the
       _flatpak system user. A mitigation is that it would be very unusual
       for these files not to be readable by the original local user as well.
       (No CVE ID, GHSA-2fxp-43j9-pwvc)
     - Prevent a local user from making another local user unable to cancel
       an ongoing download of apps or runtimes installed system-wide
       via the system helper.
       (No CVE ID, GHSA-89xm-3m96-w3jg)
 .
 flatpak (1.16.3-1) unstable; urgency=medium
 .
   * New upstream stable release
     - In flatpak-build(1), only provide /run/host/font-dirs.xml if the
       calling process has not already added it, fixing a regression for
       users of GNOME Builder and Foundry (flatpak#6450 upstream)
   * Standards-Version: 4.7.3
     - Remove Priority: optional, unnecessary since Debian 13
   * d/watch: Convert to v5 format
   * d/watch: Only watch stable (even-numbered) releases
     - d/watch.devel: Add a second watch file for development
       (odd-numbered) releases
flatpak (1.17.3-1) experimental; urgency=medium
 .
   [ Simon McVittie ]
   * Merge packaging from unstable (no functional changes)
   * New upstream development release
   * d/p/Tell-as-installed-tests-where-they-can-find-triggers.patch:
     Drop, applied upstream
   * Standards-Version: 4.7.3.
     Remove Priority: optional, no longer needed.
 .
   [ Luca Boccassi ]
   * Switch from adduser to dh-sequence-installsysusers
flatpak (1.17.2-1) experimental; urgency=medium
 .
   * New upstream development release
   * d/copyright: Update
   * d/rules: Stop overriding location for system bus setup snippets.
     The default is now what we want (below /usr).
   * d/rules: Remove obsolete http backend option.
     libcurl is now the only backend available.
   * d/libflatpak-doc.install:
     Install single-file HTML documentation for the library
   * d/libflatpak0.symbols: Update
   * d/control: Some unit tests now require curl(1), file(1), jq(1)
   * d/p/Tell-as-installed-tests-where-they-can-find-triggers.patch:
     Add proposed patch to fix autopkgtest regression in 1.17.0