Traffic from VXLAN networks is exposed with local VIDs to br-ethX bridge

On stable/mitaka branch (head commit: 1bc2d6d) I see wrong behaviour, when using VLAN and VXLAN tenant networks simultaneously. When packet arrives br-tun (ingress packet), it's assigned with local vlan ID, e.g. 10 and this packet is sent to integration bridge. In br-int this packet matches a common flow like this:
cookie=0x826acdefc21bef5c, duration=7599.982s, table=0, n_packets=3169, n_bytes=252218, idle_age=19, priority=0 actions=NORMAL

So with VXLAN networks only, this packet goes to br-sec and arrives to destination VM - OK.
But if we use both (VLAN and VXLAN tenant networks), this packet goes to both bridges: br-sec and br-ethX. Such behaviour can have a security impact on customers: customer with vlan network's segmentation ID 10 can see traffic from customers, which local VLAN ID is 10.

In my small testing lab to check my understanding I've added this flow and local VIDs stopped outgoing from br-ethX:

# echo "cookie=0x826acdefc21bef5c, in_port=3 actions=output:4" | ovs-ofctl add-flows br-int -

in_port=3 - patch from br-tun
output:4 - patch to br-sec.

Can somebody suggest me how to fix this issue and propose to upstream repo?

Rgrds,
Vlad