For past bug reports, we've not knowingly issued advisories when guessing another tenant's resource UUID is a required component of the exploit. On the other hand, a bug which leaks information about such UUIDs or otherwise makes them easier for an attacker to guess would require an advisory.
For past bug reports, we've not knowingly issued advisories when guessing another tenant's resource UUID is a required component of the exploit. On the other hand, a bug which leaks information about such UUIDs or otherwise makes them easier for an attacker to guess would require an advisory.
Unless anyone disagrees or has new details to provide about this issue, I propose we treat it as class C1 https:/ /wiki.openstack .org/wiki/ Vulnerability_ Management# Incident_ report_ taxonomy and switch the report to public on Thursday, January 29.