diff --git a/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch b/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
new file mode 100644
index 0000000..7c8c332
--- /dev/null
+++ b/flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
@@ -0,0 +1,38 @@
+From 7dd160f33054863b1ea6f75ac279a42121a16430 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <debarshir@gnome.org>
+Date: Mon, 31 Jan 2022 21:17:29 +0100
+Subject: [PATCH] dir: Use SHA256, not SHA1, to name the cache for a filtered
+ remote
+
+SHA1 hashes are considered weak these days. Some distributions have
+static analysis tools to detect the use of such weak hashes, and they
+get triggered by flatpak. While this particular use of SHA1 in flatpak
+is likely not security sensitive, it's also easy to move to SHA256 to
+avoid any debate.
+
+Here, the SHA1 hash of a named remote's filter file is used to generate
+the name of the directory where the refs from that remote are cached.
+One can reasonably assume that the cache is frequently invalidated
+because the list of refs on the remote changes all the time. Hence,
+it's not big problem if it gets invalidated once more because of this
+change.
+---
+ common/flatpak-dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
+index 18384bd432fc..c6d08e85b41f 100644
+--- a/common/flatpak-dir.c
++++ b/common/flatpak-dir.c
+@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error)
+     }
+ 
+   filter = g_new0 (RemoteFilter, 1);
+-  filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size);
++  filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size);
+   filter->path = g_object_ref (path);
+   filter->mtime = mtime;
+   filter->last_mtime_check = g_get_monotonic_time ();
+-- 
+2.34.1
+
diff --git a/flatpak.spec b/flatpak.spec
index fe420f5..10d8dff 100644
--- a/flatpak.spec
+++ b/flatpak.spec
@@ -3,7 +3,7 @@
 
 Name:           flatpak
 Version:        1.10.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -12,6 +12,9 @@ Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/
 # Add Fedora flatpak repositories
 Source1:        flatpak-add-fedora-repos.service
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1935508
+Patch0:         flatpak-dir-Use-SHA256-not-SHA1-to-name-the-cache-for-a-filt.patch
+
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(dconf)
 BuildRequires:  pkgconfig(fuse)
@@ -264,6 +267,10 @@ fi
 
 
 %changelog
+* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-2
+- Use SHA256, not SHA1, to name the cache for a filtered remote
+Resolves: #1935508
+
 * Wed Feb 02 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
 - Update to 1.10.7 (CVE-2021-43860)
 Resolves: #2041973