[btucker]

    16. Sep.  2014 - Notified the Drupal devs via security contact form  
    15. Okt.  2014 - Relase of Bugfix by Drupal core Developers

I know it's open source volunteers & all, but that seems like a rather slow reaction to such a critical vulnerability with a simple fix, doesn't it?

[scolson]

Was it a simple fix? Certainly an elegant one. Excluding Drupalcon, I'd imagine it took some amount of time to determine the scope of the problem (was this the only avenue?), best method of resolution (there might have been a few ways to patch this that were more complicated before settling on this one), and then testing to make sure additional problems were not introduced on possible fixes.

This was a pretty critical part of Drupal core, so it would be irresponsible to rush out a patch without proper testing and analysis. Could it have been done quicker? Maybe. But I don't think this is a completely unreasonable period of time.

[thejosh]

Drupalcon happened during this time.

[ceejayoz]

I really don't think that is a valid excuse for taking a month to make a one-line critical security patch.

[outlandish-josh]

The vulnerability has been there for four years. It's critical, but not widely exploited. As soon as you release an update, the exploits will be found and weaponized. It's 24 hours later and we're already clocking scripted attacks.

Coordinating a flawless release by a) not doing it during a major distraction event (DrupalCon) and b) allowing an embargo period for people within the security community to prepare is MUCH more important than rushing out the fix a few weeks earlier.

The response here is indicative of the professionalism of the Drupal security group IMHO.

[chx]

Six years. It was committed in 2008 december.

[thejosh]

Absolutely, and also considering that the window is once a week (I believe), this should have happened ASAP.

[chx]

https://www.drupal.org/documentation/version-info#when once a month rather.