Considering this bug exploitation requires administrator action (e.g., to issue token revocation), I would prefer this bug report to be public. Operator could use this information to enforce a more strict revocation process while the fix is being implemented.
What is the status of the OSSN ?
How about we open the bug at the same time we issue the security note, then we could review the proposed patch on gerrit and we'll eventually issue an OSSA if the solution is safely backportable ?
Considering this bug exploitation requires administrator action (e.g., to issue token revocation), I would prefer this bug report to be public. Operator could use this information to enforce a more strict revocation process while the fix is being implemented.
What is the status of the OSSN ?
How about we open the bug at the same time we issue the security note, then we could review the proposed patch on gerrit and we'll eventually issue an OSSA if the solution is safely backportable ?