So we do not have a CVE yet, I believe one will be auto assigned via github at some point (I don't know how long this takes :-) ).
I realised there is a typo in the bionic changelog "- GHSA-xgh4-387p- hqpp-1" should be "- GHSA-xgh4-387p-hqpp". But once a CVE is available this line will need to be replaced anyway ? For hirsute, 1.10.1-4 has the first commit from https://github.com/flatpak/flatpak/pull/4156/commits but 1.10.2-1 has just been submitted to debian sid with the full fixes, so should be syncing shortly ( https://tracker.debian.org/news/1235768/accepted- flatpak-1102-1-source-into-unstable/ ). I have not performed any deep testing yet, I have only built the bionic and focal debdiffs in a PPA (I was surprised that the patches still applied cleanly for bionic so wanted to check that, as the line numbers are quite different). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1918482 Title: Update for GHSA-xgh4-387p-hqpp To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1918482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs