Thanks for all the detailed answers and for forwarding the message to the appropriate people. I'm aware that upstream openstack is not really a "distribution", guess I was just sloppy with my wording, apologies for that. Also thanks for correcting my assumption that openstack was directly shipping code which I thought to be vulnerable. From my initial reading I thought that e.g. the tornado webserver was vulnerable directly and when I found the redhat/suse sites claiming that their openstack releases where affected I thought this must have a different meaning, than just using a vulnerable python version, as the bugs in the python implementation are listed separately on these pages. Of course tornado only gets installed via pip/third party repositories, so if the upstreams get fixed no further action is needed. Thanks for all your input, it's much appreciated. -- Mit freundlichen Grüßen / Regards Sven Kieske Systementwickler Mittwald CM Service GmbH & Co. KG Königsberger Straße 4-6 32339 Espelkamp Tel.: 05772 / 293-900 Fax: 05772 / 293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer, Florian Jürgens St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen Informationen zur Datenverarbeitung im Rahmen unserer Geschäftstätigkeit gemäß Art. 13-14 DSGVO sind unter www.mittwald.de/ds abrufbar.