This library has an unfortunate consequence when using it in multiple
environments without strong consistent access to one crypto method.. it
will fall back to weaker methods, which breaks the expectations of
security.. Fallback have been assigned CVE here before. As well, it is
an openwall release.
I may be wrong and it could already be assigned one, but I don't see it.