Comment 4 for bug 1166323

heat-cfntools (or Heat/Grizzly) are not covered by the vulnerability management policy yet, so feel free to release this in your preferred way, as we won't be releasing an official OSSA (openstack security advisory) for it.

My suggestion would be to send a message to the openstack general ML once the patch makes it to the repo. Alternatively you can ask for a CVE and try to coordinate fixes with affected distros, if any.