The function is called in auth_cryptPassword() in inc/auth.php. This bug has been fixed in commit
7ae6f87a (October 14, 2011) and thus doesn't exist in the current RC anymore. However I'm thinking this is not a minor issue and does concern security, so I would suggest doing a "hotfix" release even though it isn't really "hot" anymore.