Comment 2 for bug 1369487

I think this is the classic definition of a security hardening improvement, not a security vulnerability, and so not a fix for which the vulnerability management team would coordinate a security advisory unless:

a) there are now reliable attacks you can demonstrate which are enabled by the old default key length

b) the documentation claims nova generates longer keys by default than it actually does

c) configuration to force longer key lengths is documented but ignored by the software

It seems like none of the above are the case, so I propose the VMT treat this as a hardening fix unless you can provide evidence to the contrary.