Hi I'm not sure it make sense that the CVE-2019-15297 was used both for AST-2019-004 and AST-2021-006. I asked MITRE CNA to see if there is a reason not to assign a new CVE for AST-2021-006.
I suspect many have missed otherwise the update through AST-2021-006 because did already tracked the CVE-2019-15297 / AST-2019-004 and updated packages accordingly (which happened in Debian with the 1:16.10.0~dfsg-1 and 1:16.2.1~dfsg-1+deb10u2 updates). Regards, Salvatore
