Hi Chris, Utkarsh, all
In this particular case Salvatore have told that the CVE needs to be assigned by Apache CNA.
We should ask them about it I guess.
When I added it to dla-needed it looked severe enough to warrant a fix. Let me know if you have any other opinion.
If we see delays in response regarding the CVE assignment I think we can release a fix with just the bug reference, not to delay things unnecessarily.
But I do not think a few days is an issue, so try to get the CVE first.
Hope this helps.