@jornane Wietse also says on that page that he has sent corrections to the person that filed the CVE, so I guess/hope that will be fixed soon. UPDATE: the CVE has been fixed and now describes the problem in better ways.