[junon]

cURL's own tracker had a banner stating severity High to be released October 11.

It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.

EDIT: Why the downvotes? People don't like timezones or something?

[qwertox]

> The new version and details about the two CVEs will be published around 06:00 UTC on the release day.

https://github.com/curl/curl/discussions/12026 (2023-10-04T06:17:44Z)

[junon]

That has to do with curl itself, redhat isn't necessarily bound to that schedule and we don't know the discussion that happened privately prior to disclosure date.

[justinclift]

That kind of approach leads to the party which broke ranks this time, not being included in confidential things in future.

Along the lines of "they've proven they can't be trusted", kind of thing.

[junon]

I don't agree they broke ranks. The 6am date was for the curl project itself.

[justinclift]

Probably depends on whether Red Hat was party to privileged info as part of a co-ordinated release for this. Personally, I have no idea.

[junon]

I'd be surprised if not, but even then, it's not clear if the time was a requirement set by the cURL team at all for projects that aren't cURL.

[samueloph]

RedHat is one of the subscribers of the mailing list where the CVE details were sent under embargo, so yes, they were bound to that and broke the embargo 13 hours earlier than the lift date.

[1una]

The patch was supposed to be published around 06:00 UTC on October 11. The commit is 13 hours early.

[junon]

Perhaps, but to be honest trying to coordinate times on a specific disclosure day is futile. I would imagine Daniel is aware of this phenomenon.

[bilekas]

> When there is a HIGH CVE security flaw, why then not release immediately after fix has been applied, but at a set date?

It's a valid question.

[junon]

That has been answered several hundred times before, by Daniel himself in the original advisory.

Usually ubiquitous projects like this will privately distribute patches to large distros or corps so they can push security updates or at least prepare to push them on the disclosure date so that risk of exploit is lower by the date of disclosure. Otherwise there would be a lag and people would be more exposed for a period after disclosure.