Comment 253 for bug 2059809

Please be aware that the comments added to this bug are already going out by E-mail automatically to more than 50 people, and will all become public at the time we issue our advisory (actually an hour prior so that we have time to get review link comments in and assemble them into the final publication). As it is, the late patch revisions on Friday resulted in requests from some downstream stakeholders to reschedule publication a second time (we really can't due to the two-week disclosure limit imposed by the linux-distros mailing list) because it's going to prevent them from having fixed patches ready to distribute to their users in time. I'm almost certain the last minute patch provided yesterday as pre-disclosure errata will not make it into initial versions of many fixes in distributions.

Any additional novel exploit paths to bypass the current protections really should be opened as separate private bugs at this point, because it will otherwise be quite impossible to provide advance copies to downstream stakeholders in the time we have remaining. We can still choose to treat those new bugs as post-advisory errata for today's publication or as completely separate advisories depending on the scope and relevance.

And thanks once again to everyone for all your help with this exceedingly complex situation.