Comment 10 for bug 1736773

Given that analysis, it sounds highly likely we can't safely backport fixes to stable branches for such an issue and so would be a class B1 report per our report taxonomy: "A vulnerability that can only be fixed in master, security note for stable branches, e.g., default config value is insecure" https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Does that sounds right?