The expected behavior of ACL checking should cause an implicit default
deny state to be reached unless a terminating denial causes a state to
flip to allow.
A small logic flaw means that completely explicitly absent access control
list was flipped to ALLOW state.
It is believed that most security controls which have explicitly coded
defaults in ther configuration are not impacted by the bug or its fix.
Only empty delay pools and ICAP re*mods may have any change in behavior
as a result.