[1una]

The patch was supposed to be published around 06:00 UTC on October 11. The commit is 13 hours early.

[junon]

Perhaps, but to be honest trying to coordinate times on a specific disclosure day is futile. I would imagine Daniel is aware of this phenomenon.

[bilekas]

> When there is a HIGH CVE security flaw, why then not release immediately after fix has been applied, but at a set date?

It's a valid question.

[junon]

That has been answered several hundred times before, by Daniel himself in the original advisory.

Usually ubiquitous projects like this will privately distribute patches to large distros or corps so they can push security updates or at least prepare to push them on the disclosure date so that risk of exploit is lower by the date of disclosure. Otherwise there would be a lag and people would be more exposed for a period after disclosure.