[HIGH] Saving user accounts can sometimes grant the user all roles

PKSA-9qcr-q27r-2kkq CVE-2016-3169 GHSA-q3p9-8728-wq7x

Affected package: drupal/drupal

Affected version: >=8.0,<8.0.4

Reported by:
FriendsOfPHP/security-advisories, GitHub