This seems to be the best way. We probably should wrap up all 3 patches into
one single "this is what you need" patch. Historically, I'm not sure if there
is a precedent on where anything like this has been announced. Have patches,
or the URLs of patches previously been sent as replies to messages detailing
exploits on lists such as bugtraq?
There are currently NO posts on bugtraq for this issue. I notified vendor-sec (private list) at the same time I notified you folks and I only provided the detail to trigger the bug. No actual exploit was posted to vendor-sec nor any fix information etc. (I actually don't even have the links to the patches myself, I was assuming I could extract it from perlbug but I got perm denied via the guest web access)
I had planned to do a bugtraq / full-disclosure release pretty much after you folks had a chance to get things fixed.
In the past I have done simultaneous posts to bugtraq *with* a vendor. I have also had some vendors ask that I post first and they they can follow up with they own information. I am willing to be flexible in regards to your needs so just let me know which is preferable to you.
-KF
