Comment 9 for bug 1811098

While reports of suspected vulnerabilities for ceilometer aren't officially overseen by the OpenStack vulnerability management team, we're happy to provide guidance in such matters. I've subscribed the Ceilometer Core security reviewers to the report, to improve visibility among them while it's set as private.

Given the fixes for this were proposed in public, and the bug was also opened initially public and remained so for a week, there's probably not much point in maintaining an embargo for this report and so should just follow open/public vulnerability management process at this stage.

A quick look at the reported defect and associated patches, it seems fairly straightforward. This is in line with what the OpenStack VMT would consider a class A report in our taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy As such, I'd recommend publishing some sort of Ceilometer notice or advisory about the issue once backports for all supported stable branches have merged.