Comment 4 for bug 1918482

So we do not have a CVE yet, I believe one will be auto assigned via github at some point (I don't know how long this takes :-) ).

I realised there is a typo in the bionic changelog "- GHSA-xgh4-387p-hqpp-1" should be "- GHSA-xgh4-387p-hqpp". But once a CVE is available this line will need to be replaced anyway ?

For hirsute, 1.10.1-4 has the first commit from https://github.com/flatpak/flatpak/pull/4156/commits but 1.10.2-1 has just been submitted to debian sid with the full fixes, so should be syncing shortly ( https://tracker.debian.org/news/1235768/accepted-flatpak-1102-1-source-into-unstable/ ).

I have not performed any deep testing yet, I have only built the bionic and focal debdiffs in a PPA (I was surprised that the patches still applied cleanly for bionic so wanted to check that, as the line numbers are quite different).