Just a reminder, our embargo policy promises a maximum of 90 days from initial report of a suspected vulnerability, and per the preamble in the bug description, that's... "This embargo shall not extend past 2023-05-03 and will be made public by or on that date even if no fix is identified."
That's four weeks from yesterday, so ideally we'll have fixes and an advisory ready to provide advance copies to downstream stakeholders at least a full week prior to that, which basically gives us only three weeks to wrap up the debate over patches and prepare all relevant backports (at least as far back as stable/yoga since stable/xena will be transitioning to extended maintenance before then, but also backporting to stable/xena if possible would be nicer to our users).
Just a reminder, our embargo policy promises a maximum of 90 days from initial report of a suspected vulnerability, and per the preamble in the bug description, that's... "This embargo shall not extend past 2023-05-03 and will be made public by or on that date even if no fix is identified."
That's four weeks from yesterday, so ideally we'll have fixes and an advisory ready to provide advance copies to downstream stakeholders at least a full week prior to that, which basically gives us only three weeks to wrap up the debate over patches and prepare all relevant backports (at least as far back as stable/yoga since stable/xena will be transitioning to extended maintenance before then, but also backporting to stable/xena if possible would be nicer to our users).