Comment 5 for bug 2058138

Based on the description, this sounds like a situation that an attacker wouldn't be able to create, but rather a security feature not working as intended leaving systems exposed to subsequent attacks. Is that an accurate assessment? If so, I don't think we need to work on the fix for this in secret and can switch to our public workflow to get a fix in place and operators notified so they can take action as soon as possible (ideally before 2024.1 is tagged so that we don't release it with this flaw).

I see the mention of 2024.1 being affected, so we're at a minimum going to need a patch for master and a backport to the stable/2024.1 branch. Can someone work out what earlier releases may also be affected?