Comment 3 for bug 1646254

It was pointed out that this report is a duplicate of embargoed security vulnerability OSSA-2017-001/CVE-2017-2592 which was being worked in parallel. I'll mark this bug as a duplicate since the other has far more detail and covers the advisory and (slightly different) stable branch fixes.