It’s not the first time when a serious flaw has been found in a “release” and then left unfixed in the “latest-stable” branch for months (and also in the published source code tar/zip archives).
BTW. For example, one of the previous ones I remember was related to the xrootd hash.