Sounds like the latter. They "found" it and requested a CVE, but it was already fixed -- they just hadn't merged that change because they didn't notice it was security-related.