Comment 5 for bug 1840507

Thanks, so if your patch in comment #2 is acceptable to the other cores and can be merged before the OpenStack Train coordinated release, I think we can just patch it publicly and dispense with any need for a formal security advisory. Does anyone disagree? Basically report class Y: https://security.openstack.org/vmt-process.html#incident-report-taxonomy