When I say rebuilt I mean install/update or whatever to the fix version. You join my point when you said you need to check the hash, i.e a trusted source is required. I am not saying https is not enough, I said that that if you had doubt , you should forget everything you have update recently. This CVE is hard to exploit, normally. But you can't just brush the scenarii where it is relevant.