This ITS was answered with won't fix / send patches:
But in the mean-time somebody assigned a CVE number to it:
The SUSE folks added a patch:
Could anybody review this and comment whether it makes sense at all?
If the patch is correct would it make sense to release it with 2.4.47?