Comment 6 for bug 918608

I do agree that this is a SQLAlchemy vulnerability and not so much a keystone vulnerability. I can work this issue from that angle. I'll look into getting a CVE allocated for it. I think it's still worth posting an OpenStack security advisory about this to help make users aware of the problem. The advisory can just reference the SQLAlchemy CVE.

As to the general process question, I think that if a project is a core Openstack project, it's a good idea to release a security advisory, even if there hasn't been an official release yet.