Looks like users/edit-alias does not verify the alias targets (or the verification is broken) - it just accepted "foo" as alias target...
(2.3 has the same bug, therefore no regression and no reason to delay the 2.3.1 release ;-)
This bug has a very interesting solution: It's fixed by adding $error = 0; before checking the alias targets.
With $error uninitialized, $error += 1 is still === 0 - at least PHP thinks so...
Lection learned: always initialize your variables!
Fixed in the 2.3 branch (SVN r850).
The not-so-good news is that some internals of edit-alias aren't too nice - for example, $goto can contain an element with empty string. I added a check for that in the 2.3 branch, but we should use a better solution (avoid empty elements in $goto) in trunk ;-)
Fixed in trunk (r862) also. Still with the "ugly" solution because it was simple to merge, but I at least added a TODO note to my local copy ;-)