I can only know what has been shown to me: namely
"Remove HTTPoxy entry in vuxml until a we know if upstream vendors will
patch this so things aren't marked vulnerable forever."
The next day it was shown as cancelled with no further explanation, and PHP issued a patched version, so the reason given ceased to apply.
As for what I understand, on a scale of 1 to 10 I don't know, but I understand this is likely to affect users who use standard libraries to implement functionality, or use certain functions (eg getenv()) to access data, or use the $_SERVER['HTTP_PROXY'] autoglobal. It looks serious enough to justify a warning and a patch as soon as one is available.
As for my alleged failure to investigate, I searched for information in search engines and found none, so I asked for an explanation here, and none has been given. I would have thought when removing a warning like this it is self-evident that there should be a good reason for doing so which is available to users so they can be reassured the threat isn't real or has been dealt with in some way.
I'm concerned because, despite my question I'm just directed to information about the bug and the removal of the warning, none of which seems to explain why, other than it would have been untidy to leave the warning up if upstream fixes were not forthcoming, which in the case of PHP they were.
Users need to see and understand the rationale for decisions which affect reliability and security in order to have confidence in them. Is that such an unreasonable position?