Obviously it's entirely up to VMT how advisories for incomplete fixes are handled.
But if it helps you at all in deciding what the process should be, MITRE and Red Hat (as a CNA for opensource), as a standard practice, do assign a new CVE to an issue when a fix is found to be incomplete after the original fix/advisory is released.
We (Red Hat product security) will also release a new erratum / security advisory if such a case occurs and we have already released one for the original issue.
That is our process though, by no means am I saying it should be yours as well. Just trying to be helpful :)
Obviously it's entirely up to VMT how advisories for incomplete fixes are handled.
But if it helps you at all in deciding what the process should be, MITRE and Red Hat (as a CNA for opensource), as a standard practice, do assign a new CVE to an issue when a fix is found to be incomplete after the original fix/advisory is released.
We (Red Hat product security) will also release a new erratum / security advisory if such a case occurs and we have already released one for the original issue.
That is our process though, by no means am I saying it should be yours as well. Just trying to be helpful :)