But in various CVE's descriptions there is a misundestanding whether "< 1.1.11" or "<= 1.1.11" should be used for affected versions. It leads to a sutiation that there are already two (!) mistaken bugzilla report about this CVE, whereas the problem was actually fixed months ago...
To avoid further mistakes, I just update to the latest 1.1.20.
To trigger any bureaucracy things, I specify "security" and "high", to avoid broken assumptions that there is no proper update after the CVE report.