The operational wrinkle nobody mentions in the rename is that the same vulnerability now ships under two version trains. VSV00019 was just patched as Vinyl 9.0.1 and as Varnish 8.0.2 and 6.0.18, so anyone pinning a version in their package manager has to figure out which lineage their distro actually tracks before the next CVE lands.