Ah, must have overlooked the months. Makes me wonder why they left this in the wild for a month and now suddenly put thousands of installations at risk.
> now suddenly put thousands of installations at risk
There's a solution that goes with the advisory. You cannot provide a patch without putting sites at risk.
Furthermore, the vulnerability was present since the Drupal 7.0 release, several years ago. There were no exploits seen in the wild. What are a few weeks then?
The team decided that speed to patch sites asap _after_ release of the information was critical. This is the reason why it was released after a pre-announcement and after a conference tying up most stakeholders.
> Disclosure Timeline:
> 16. Sep. 2014 - Notified the Drupal devs via security contact form
> 15. Okt. 2014 - Relase of Bugfix by Drupal core Developers