Comment 35 for bug 1823200

Summer: Unless the plan changes to provide patches which fix this vulnerability for existing configurations or by breaking deployments until updated configuration is applied, which is likely even impossible for anyone who's been using the driver with bare metal instances unless the vendor alters the design of their product, the OpenStack VMT won't be issuing an advisory; and we only request CVEs from MITRE if an advisory is being drafted.

Publication of guidance to deployers and distributors for securing the software is still encouraged--we have a less formal "security note" process we recommend for this purpose--and if you wish to assign a CVE along with it then feel free to do so. All we ask is that you update this bug report with the CVE identifier so that multiple organizations don't do the same and wind up with duplicate CVEs.