Comment 1 for bug 1955556

It looks like the Ubuntu package maintainers have already picked this up. From an upstream OpenStack perspective, we don't mandate use of vulnerable versions of dependencies, as the suggested version ranges in the requirements.txt you linked can confirm.