They're asking the nature of the third party's discovery/publishing. Someone on the inside who decided to leak it anonymously? Someone else who was able to access some private communication they shouldn't have been able to see? Or a third party who happened to discover the same vulnerability (which seems less unlikely than normal since this is so similar to Copy Fail), but didn't follow disclosure procedures?

▲

staticassertion 2 hours ago | parent | next [-]

The commit for the fix was public. Someone noticed. An exploit was published.

▲

ahartmetz 2 hours ago | parent [-]

I think I read on the bug's website that "No fix has been released". I understood that as there is no public fix, but maybe it only means it's not in a tagged version of the kernel and no hotfixed distro kernels have been released?

	▲	danudey an hour ago \| parent [-]
		The patch was posted to the kernel mailing list; someone saw the e-mail, read the patch, figured it out, and published an exploit very soon after.

▲

lofaszvanitt 2 hours ago | parent | prev [-]

Following disclosure procedures? The main cause that kills the need to take security seriously.