CVE needed for libotr's support for OTR v1?

[Murray McAllister <mmcallis () redhat com>]

Hello,

Is a CVE needed for versions of libotr that support OTR v1? Quoting the 
Debian bug[1]:

""
as you are surely aware of, it's been known [1] since 2006 that
clients supporting both OTRv1 and v2 (such as libotr 3.x) are subject
to protocol downgrade attacks clients. It's also been known for
a while that OTRv1 has serious security issues (that were the main
reason for a v2, actually). In short, support v2 only is the only safe
way to go these days.

[1] http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.7945
""

Ubuntu advisory: http://www.ubuntu.com/usn/usn-2091-1/
Launchpad bug: https://bugs.launchpad.net/ubuntu/+source/libotr/+bug/1266016

Thanks,

--
Murray McAllister / Red Hat Security Response Team

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725779