Comment 5 for bug 1434545

I dug into this a bit today. I think the packages exist within the database and AFAICT don't seem to be something that be messed with by a malicious tenant. I am leaning towards a C1 or even D classification [1] for this bug. I suggest we fix this as security hardening and open the report up next Monday unless people find a practical exploit case before then.

1. Our vulnerability taxonomy is available here: https://wiki.openstack.org/wiki/Vulnerability_Management