Comment 8 for bug 1823200

If I'm reading correctly, the proposed fix will require configuration changes for existing deployments, so we'll likely want a security note (OSSN) for this but we would not produce an advisory (OSSA).