Should licensees address CVE 2015 9284 in their repo or wait for jumpstart to move to omniauth 2.0.x?

New licensee and didn't see any discussion the CVE. Is there any current recommendation on addressing this in our forks? Should we attempt address via: Resolving CVE 2015 9284 or does the current jumpstart address this via another method?