I guess we should get a CVE for this?
release-2.x.y
2014-01-12, Mark Doliner