I'll wait with publishing this CVE to be able to include the fixed package versions in the description