web/security: fill in 1.0 branch CVE backports