The bugfix became necessary as a crash has been found in the option allow::options::noident.
In a short interview developer nate explains how the crash is being triggered and how to avoid it:
There was an issue in allow::options::noident, where if it was enabled in an allow block that a user could potentially crash a server due to a buffer overflow. As far as we’ve been able to see, there’s no risk of remote code execution as much as it just causing a segfault. The main ways of resolving it are updating to 18.104.22.168 or simply making sure no allow blocks specifically have noident (which most by default won’t thankfully).
It is vulnerable in past versions as well before 3.2.8 as well.
Being asked how far back exactly nate says the exploit exists “at least back towards 3.2.3 (before that we wouldn’t support anyways due to exploits way back then)”.
Thanks for the tip goes to Reed Loden and to nate for taking the time to answer my questions!