[hadrien01]

> Yes, we’ll be releasing the patch publicly, as well as a CVE and an explanation in two weeks. We’re delaying release to give our install base a bit of extra time before this is widely exploited.

[bdonlan]

Unfortunately that means it's not possible to deploy this without violating the AGPL...

[jabart]

No one cares. It's a two week violation and no one is going to hunt anyone down who released this early internally.

[Nextgrid]

Even though this is technically a violation, licenses aren't black & white. The objective and intent of the AGPL is not being violated by delaying release by a couple weeks to give time for security patches to be applied.