Comment 1 for bug 1902997

Applicable to stx master (aka stx.5.0) as well as stx.4.0.
The process is to address the CVE in stx master first and then cherrypick to the appropriate release branches after some soak time.