> Security fixes *do* introduce bugs, which do have to be fixed later: see,
> e.g. ff9bc512f198eb47204f55b24c6fe3d36ed89592. But obviously this is done
> by fixing the bug, not by reverting the security fix!
That's for sure, and I can give you many more examples too. But the good thing about such a regression fix is that it usually mentions the commit hash that introduced the problem. This is quite different from bugs that are security-relevant, and yet have nothing related mentioned in the changelogs.