Fedora has issued an advisory tomorrow (February 13): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KEEWWTWPOXFOQSOBEEMYNYIRW5I3RTWB/ The issue is fixed upstream in 1.2.3. The RedHat bug has a link to the upstream commit that fixed the issue. Mageia 6 is also affected.
CC: (none) => shlomifBlocks: (none) => 23866Whiteboard: (none) => MGA6TOO
Debian has issued an advisory for this on February 12: https://www.debian.org/security/2019/dsa-4390 According to the Debian bug, it's also fixed upstream in 1.0.7.
Status comment: (none) => Fixed upstream in 1.0.7 and 1.2.3
flatpak-1.0.7-1.mga7 uploaded for Cauldron by Shlomi.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
RedHat has issued an advisory on May 7: https://access.redhat.com/errata/RHSA-2019:1024 The issue is fixed upstream in 1.0.8 and 1.2.4.
Summary: flatpak new security issue related to CVE-2019-5736 => flatpak new security issue related to CVE-2019-5736 and new security issue CVE-2019-10063Status comment: Fixed upstream in 1.0.7 and 1.2.3 => Fixed upstream in 1.0.8 and 1.2.4
Mageia 6 is EOL Mageia 7 have Flatpak 1.4.1, with request for upgrade in Bug 25463
Resolution: (none) => OLDCC: (none) => friStatus: NEW => RESOLVED
Apparently the first issue got CVE-2019-8308: https://lists.opensuse.org/opensuse-updates/2019-08/msg00222.html
Summary: flatpak new security issue related to CVE-2019-5736 and new security issue CVE-2019-10063 => flatpak new security issue related to CVE-2019-5736 (CVE-2019-8308) and new security issue CVE-2019-10063