Comment 3 for bug 1673085

To start, we can almost certainly switch this report to Public Security and skip the embargo since the potential risk is already mentioned in the meeting log (and even called out as a possible security vulnerability). There doesn't seem to be much novel in this report which an interested attacker couldn't easily work out from the public discussion and a quick skim through the source code.

As for whether we issue an advisory, I think this will mostly boil down to whether there's a safe way to "fix" it in supported stable branches, or if this will need to be paired with some configuration to actually tune and enable the mitigation.