In a private E-mail reply, Benjamin agreed with the suggestion to proceed with this report in public for now. As such, I'm triaging it as class B2 ("a vulnerability without a complete fix yet, security note for all versions, e.g., poor architecture / design"). The security note normally suggested by B2 is probably not warranted either given the existing treatment in the security guide, linked from the initial report.
In a private E-mail reply, Benjamin agreed with the suggestion to proceed with this report in public for now. As such, I'm triaging it as class B2 ("a vulnerability without a complete fix yet, security note for all versions, e.g., poor architecture / design"). The security note normally suggested by B2 is probably not warranted either given the existing treatment in the security guide, linked from the initial report.