"be prepared to update affected systems at $point_in_time" seems actionable to me. You for some reason thinking that such a warning doesn't warrant taking the recommended action doesn't mean it isn't actionable, it means you choose to ignore it.
An update is nothing special that I have to be prepared for. I do it all the time across all my systems, and it's largely automated. If a single update is such a burden that you must prepare days in advance for then perhaps there's room to improve the processes.
ok, so the actionable thing is "make a note to check for and run updates on Nov 1, even though it might a public holiday for you" and you're done. actionable != lots of effort, but I still appreciate a warning if I'm supposed to work on a holiday.
And yes, plenty places are not at the point where this is a "press button and done" activity, even if it should be. (e.g. pretty much everyone who is buying any kind of "appliance" and isn't just running open-source stuff now knows to go check with vendors)
"I'm good at DevOps and everyone else should be too", feels tangential, and isn't going to help you when your banking session gets compromised because your bank wasn't prepared to roll this out through any expedited process versus their regulatory compliant, slow process.
(As an example/thought experiment. I make no claims about the vulnerability at hand.)
I don't know anything about the update processes banks use. I would hope they wouldn't have to jump through hoops to apply a security update. Didn't they learn this already?
What do you expect banks and other regulated industries do? YOLO patch whatever and whenever?
I don't work in a regulated industry where it's required, but we do similar with a proper change control process and there's not a single individual that's authorised to perform changes without oversight, (even if that oversight from senior leadership comes retrospectively).
I spent a few minutes checking my cmdb for openssl3, and have allocated 30 minutes on Tuesday to upgrade the few machines that have openssl3.
When corporate infosec starts to panic, probably about Thursday based on the jndi issue, I'll be able to point them to our log which shows how it was handled.
No, I'm not convinced that the vulnerability is something I need to care about, because there's no details about it. I can make that determination when I have details. I am well aware of that project's history. I see no information given that would imply this to be anything more special than a regular update for me, for which the process I have already streamlined. I understand the practice of not giving the details until there's a patch and I'm OK with that, but there's now been over 10 submissions to HN about it with over 150 combined comments and all we know is that an update is coming. I'm not buying into the hype.