We haven’t released any Turris OS 4.0 since January and it was not fixed as you pointed out. We decided not to release Turris OS 4.0 anymore as they are breaking changes and this is not what we can push to users as some critical services do not start. Anyway, the CVE is already fixed in Turris OS 5.0.0. You might want to check it on this HBT build. 
Check, for example, this link https://repo.turris.cz/hbt/omnia/packages/git-hash and you can see which commits from each feed it uses.