Comment 12 for bug 1915282

Thanks, for now the VMT will consider this a class C1 report (impractical vulnerability) and so not plan to issue any advisory:

https://security.openstack.org/vmt-process.html#incident-report-taxonomy

 Let us know if the situation changes and you determine it's risky enough to backport a solution to supported stable branches.