It was reported [1] that the fix for CVE-2015-1196 [2] was incomplete. [1] https://bugs.debian.org/775901 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1182154
This was fixed in patch-2.7.3.
Sorry, I mean 2.7.4.
Given we have not fixed CVE-2015-1196, we're not affected by this issue.