Here's a news entry describing the vulnerability.  The "TBD" commit
should be replaced with the one that updated the guix package.