The fix for the timing attack CVE (ENTMQST-3313) has been been included in the upstream 2.6.3 release.

Ideally the previously "hacky" 2.6.1 build will be "unhacked" to use a more native gradle build (as we now have a version of Scala 2.12 that works with redhat build version strings).