[ceejayoz]

I really don't think that is a valid excuse for taking a month to make a one-line critical security patch.

[outlandish-josh]

The vulnerability has been there for four years. It's critical, but not widely exploited. As soon as you release an update, the exploits will be found and weaponized. It's 24 hours later and we're already clocking scripted attacks.

Coordinating a flawless release by a) not doing it during a major distraction event (DrupalCon) and b) allowing an embargo period for people within the security community to prepare is MUCH more important than rushing out the fix a few weeks earlier.

The response here is indicative of the professionalism of the Drupal security group IMHO.

[chx]

Six years. It was committed in 2008 december.

[thejosh]

Absolutely, and also considering that the window is once a week (I believe), this should have happened ASAP.

[chx]

https://www.drupal.org/documentation/version-info#when once a month rather.