alt Hacker NewsBasic care would involve making sure the patches had made it into the wild before ending the embargo, and nagging the relevant parties if not.
Edit: As of this writing, most distros including Redhat, Fedora, Debian Stable, do not have patches available in the package repos, though they're being actively worked on.
Replies
semiquaver • yesterday at 6:22 PM
“Made it into the wild?” Patches landed a month ago. Should they also wait until my linksys router from 2018 has a patch ready?
➕ show 2 replies
staticassertion • yesterday at 9:41 PM
That's mostly on Greg, a bit on the author.
GrayShade • yesterday at 6:52 PM
Fedora is patched.
Not true, if there’s any evidence of the exploit being used in the wild, it’s much more responsible to release immediately.
Considering that the patches have been available for a while, someone surely reversed what they were for and was actually exploiting this in the wild.
In the age of AI, I’d argue that “responsible disclosure” is dead. Arguably even in closed source projects. Just ask Claude to do a diff between the previous version and to see whether anything fixed in there could have had security implications.
We’re not there yet, but very soon the only way to responsibly disclose a vulnerability will be immediately.