Comment 11 for bug 1329297

I agree with this not being an independent security issue. There is a (mostly theoretical) potential security impact based on how applications or users react to the case where session ticket unexpectedly cannot be used. That could, at least in theory, result in trying the authentication handshake again with reduced security (e.g., EAP-FAST anonymous provisioning) even when there would be a valid session ticket still available. I don't think this would really result in practical security issues, i.e., the impact is in previously working functionality not working anymore and connections not being established. That said, it is useful to get this regression addressed in a way that makes it more likely for devices to get the update since the regression was caused by a high priority security fix that was likely applied to most devices immediately.