I obtained a CVE number for this flaw and added a reference to it in NEWS.
Also fixed a now-unnecessary "goto" in related code.