Comment 5 for bug 1849624

Based on this, I think that (2) will more correctly be an OSSN (security note rather than advisory) since it's recommending a change in configuration rather than providing a patch for deployers to apply. Probably closest classification in our report taxonomy is B2 "A vulnerability that can only be fixed in master, security note for stable branches, e.g., default config value is insecure" (though in this case it sounds like it's at least not the default value): https://security.openstack.org/vmt-process.html#incident-report-taxonomy