So three python ticket I'm working have a CVE that is "CLOSED WONTFIX".
Apparently the patch to fix the DoS issue is intrusive and will not be back ported to the
2.x or earlier 3.x releases by the upstream providers.
It may be possible to bump the python3 packages to python3-3.4 from python3-3.3 to get the
patch, but 2.x versions are going to be a mess to fix, RHEL5/6 are not patching.
What is the policy? Do we still try and get the patch or follow upstream as a WONTFIX?