Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
If this doesn't warrant an embargoed disclosure, or if a fix isn't proposed in timely manner, we should loop ossg-coresec before making this public, as explained in the embargo exception process here: https://security.openstack.org/vmt-process.html#embargo-exceptions
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
This sounds similar to OSSA-2016-012, thus I this this is a class A according to VMT taxonomy ( https:/ /security. openstack. org/vmt- process. html#incident- report- taxonomy ).
If this doesn't warrant an embargoed disclosure, or if a fix isn't proposed in timely manner, we should loop ossg-coresec before making this public, as explained in the embargo exception process here: https:/ /security. openstack. org/vmt- process. html#embargo- exceptions