Comment 9 for bug 1593799

The VMT doesn't request CVE assignment for bugs which aren't going to have fixes backported, though that doesn't stop someone else from requesting a CVE once this is public. However, the point of a CVE is to be able to track whether a given deployment is vulnerable, and if there's no patch or configuration change which makes deployments no longer at risk of this then there's not much point to having a CVE assigned for it anyway in my opinion.