Comment 34 for bug 2030976

Before moving forward with communication around this issue, it would be good to get some clarification with regard to the proposed fixes.

The current impact description is with regard to defects in the codebases of Ironic and Nova, but I have yet to see patches like those originally attached get pushed into Gerrit. Work seems to be proceeding with backports of a change in oslo.messaging that say they are "related" to this bug report, but not indicating that they're fixing it (at least as far as the commit messages use a "Related-Bug" footer rather than "Closes-Bug"). If the fix, and so corresponding defect, has been determined to lie within oslo.messaging instead then we need to reframe the impact description before requesting a CVE with it.

Can someone update the bug with the current plan and thinking around how this is proceeding?