Why did it take them 4 days between publishing a CVE for the vulnerability (Dec 19th) and posting a public patch (Dec 23rd)?
computerfan494•1h ago
That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?
philipwhiuk•38m ago
Posting the CVE and then the patch is the reverse of this.
computerfan494•31m ago
By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.
cebert•1h ago
In the US, the last two weeks of December can be slow due to the holiday season. I wouldn’t be surprised if Mongo wasn’t as staffed as usual.
gberger•1h ago
computerfan494•1h ago
philipwhiuk•38m ago
computerfan494•31m ago
cebert•1h ago
joecool1029•56m ago