Comment 23 for bug 1739646

It's only considered "fixed" from an advisory standpoint if, upon upgrading, the default behavior changes to solve the vulnerability. If operators need to alter their configuration as well, then this requires a bit more narrative and is the realm of a security note. Look at it this way... upgraded or new installations will continue to expose the vulnerability described here, as the default configuration is insecure. The plan is for it to be "fixed" (default behavior changes) at some point in a future release.

This is where we walk a fine line between vulnerabilities whose solutions can be safely backported to stable branches with minimally-disruptive changes in behavior, and those which can only be addressed through deprecation of the old unsafe behavior (regardless of whether we give the operator an easily-applied workaround, say, in the form of a configuration option).