[nickweb]

Is it normal for a security issue of this magnitude to have a 12 day notification period for everyone? That seems... short.

[jwilk]

Yes. This was coordinated on the distros mailing list, which has maximum embargo period of 14 days, with periods shorter than 7 days preferable:

https://oss-security.openwall.org/wiki/mailing-lists/distros...

[cpncrunch]

Still no update for Centos 8, so I'm not sure that worked too well.