That's a good question. I suppose that posting the commit makes it incredibly obvious how to exploit the issue, so maybe they wanted to wait a little bit longer for their on-prem users who were slow to patch?

▲

philipwhiuk 6 hours ago | parent [-]

Posting the CVE and then the patch is the reverse of this.

	▲	computerfan494 6 hours ago \| parent [-]
		By "patch" I am talking about the public commit. Updated binaries were made available when the CVE was published.