This was reported by Dirk Wetter on the Debian bug tracker (see URL): "There's a problem with the randomness of mktemp. The string includes a number which includes somewhat the current process ID (based on the current PID)." AFAICS, mktemp from coreutils is not affected.
This is an error in (non-coreutils) mktemp's own filename generator. However, we use "econf --with-libc", which makes mktemp just a wrapper around glibc's mkstemp() function. So this does not affect us.