If mitigating this on some supported stable branches is going to require the operator to make configuration changes, then this is probably better handled as a security note than an advisory.
If mitigating this on some supported stable branches is going to require the operator to make configuration changes, then this is probably better handled as a security note than an advisory.