I think a year's salary of an engineer (which is NOTHING at certain corporate scales) would make the fix happen in matter of weeks and it is only fair.
OR if you absolutely don't want to pay then other way would be to allocate one of your own engineer for few months to patch the parts you need for the paying customers and contribute upstream.
EDIT: SORRY - This one year one engineer compensation is just my own limited incorrect estimation. I am no position to say what's exactly worth in but I would estimate few months of effort for an engineer that's NOT familiar with the code base, probably.
Apparently they would just need to build a newer release, the fix is already done (but I suspect that doing so would evoke other compliance issues, which is probably why it wasn't done; obviously this isn't the open source project's problem).
OR if you absolutely don't want to pay then other way would be to allocate one of your own engineer for few months to patch the parts you need for the paying customers and contribute upstream.
EDIT: SORRY - This one year one engineer compensation is just my own limited incorrect estimation. I am no position to say what's exactly worth in but I would estimate few months of effort for an engineer that's NOT familiar with the code base, probably.