@zigo: I'd say *this* bug is worse than the original CVE.
Having said that, the fix for this bug builds on top of the fix for the original CVE, so you'd still need to backport the fix for the original CVE to backport the fix for this bug. But if you haven't yet shipped the fix for the original CVE in your distro, I think you'd want to hold off until we clear up this one and get the backports rolling upstream.
@zigo: I'd say *this* bug is worse than the original CVE.
Having said that, the fix for this bug builds on top of the fix for the original CVE, so you'd still need to backport the fix for the original CVE to backport the fix for this bug. But if you haven't yet shipped the fix for the original CVE in your distro, I think you'd want to hold off until we clear up this one and get the backports rolling upstream.