Comment 8 for bug 1895928

The patch in comment #6 looks good - we will just need to edit the changelog entry to list the actual assigned CVE ID from above and then backport to xenial, bionic and groovy.