Comment 27 for bug 1739593

CVE-2017-18191 is already reserved for this and can, I suppose, be included in that release note already. You're right that OSSA numbers have historically been assigned at the time of publication so I would consider either amending the release note later and not blocking the patch on it, or we can attempt to work out some sort of coordination mechanism for earlier OSSA assignment.