FYI see commit a3e9d5aa98 (and equivalent commits in 1.1.0 and 1.0.2). These fixes were reviewed in private due to an embargo from the reporter. In spite of that we have chosen not to issue a CVE for these fixes since they are localhost side channels only. Matt