Comment 14 for bug 918608

I've asked for an update from the Red Hat security team. It looks like they did verify the vulnerability in SQLAlchemy, assigned a CVE (CVE-2012-0805), and are now working on coordinating a release. I'll report back when I get a date. I know the fix is already out, but ideally I think this bug should stay private until the coordinated release for the CVE.

After thinking about it some more, I don't feel strongly that we need to an OpenStack advisory for this. Do we want to release an advisory every time a project that OS uses has a vulnerability? I wouldn't think so, except perhaps for extreme circumstances.