The quoted section of the initial announcement is a little worrying:
compromising the release packages involved effort on someone's part and,
as a motivation for that effort, introducing an exploitable vulnerability
is a far, _far_ likelier goal that adding a random bug. So the initial
position should probably be to assume that whoever made the changes
intended them to be exploitable and therefore to act as though there
were a compromise introduced until those changes are fully understood.
That is, the healthy initial reaction is "what have I missed?" rather
than "this doesn't seem to do anything".