No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. https://copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
They released the vulnerability without disclosing it to the vendors first? Am I understanding this right?
No, they disclosed it to the Linux kernel security team, a patch was committed to mainline, then this was disclosed publicly. https://copy.fail/#timeline
They don’t have to coordinate disclosure with every distribution vendor, but droppings public PoC exploit script 28 days after the patch was committed to mainline kind of seems like a dick move to me.
It got me wondering as well. Normally I find out afterwards that my system is already patched since a couple of days.