Comment 21 for bug 1739646

It looks like the proposed patches don't actually engage the security protection they introduce, requiring an admin to make a policy configuration change before their environment will be protected from the issue described here. Am I interpreting that accurately, or misreading?

If this introduces the need to alter configuration for the deployment after the patch is applied, it's pretty clearly still class B1 in our taxonomy ("...default config value is insecure") and so more appropriate for a security note than an advisory.