Hello Jeroen, I also cannot reproduce any exploit with points 1,2. Given that the full upstream fix has been backported to Debian, and also considering the quality of the referenced report, I think it's safe to say that this vulnerability is indeed fixed.
Unfortunately, upstream doesn't mention CVE ids in its security tracker. Thijs
signature.asc
Description: OpenPGP digital signature

