Comment 6 for bug 1787214

I'd rather not make this public for two reasons:

1) oslo.messaging patch hasn't been approved nor released
2) what about oslo.log? Should it be patched to avoid dumping all args to the log (i.e. changed only log what is referenced in the log format)? I wasn't aware of the current behavior and I suspect there may be other logging calls that end up outputting unintended information as well.

That said I admit I'm ignorant of how this project deals with security related issues. My experience with Apache is that the bug remains embargoed until after a release containing the fix has been made available...