So I guess the base distro is also affected, as these are core openstack components imho?
There is no "base distro" of OpenStack. Red Hat and SUSE both produce distributions of OpenStack which, strictly speaking, means OpenStack software combined with other software such as OpenStack's dependencies and an operating system to run it all on. So in those cases it's the Python interpreters in their distributions which the vulnerabilities you linked are affecting, but not the OpenStack software which they're also including in the distributions. ya with my downstream hat on the python interpreter and standard libs are not considerd to be part of the openstack porduct
On Thu, 2021-02-25 at 15:06 +0000, Jeremy Stanley wrote: they are part of the base operating system distrbution and we just use them in the openstack product. i would not consider CVEs in the python interpreation to be a CVE in openstack. openstack would cerntely be affected by it but its outside of the openstack prodcution tems hands to fix. from an upstream perespective i also agree there is no base distibution of openstack + and interpreter. there is the upstream repostiorys of the openstack project hosted on https://opendev.org but we do not distribute a python runtime or all of the external libvaries aht openstack depends on as a signel distibution so those CVE appear to be outside the scope of the openstack vulnerablity team to adress. that does not mean the openstack comunity does not care about them they just are not part of the softwaere we maintaine and devleop.