Control: tags -1 - security Remvoving the security tag. If I understand it correctly, the incomplete fix has not directly security implication, but considered a regression in functionality (guests cannot login anymore). So guess this does not need a separate CVE for the incomplete fix applied.
Regards, Salvatore