This is only the case for the static binaries and not for the official Ubuntu/Debian/... releases.

At least they put a warning on their release page: https://github.com/mumble-voip/mumble/releases

But releasing a vulnerable version of Mumble is still bad. They should either fix it or not release a static binary at all.