On Wed, Nov 20, 2024 at 09:49:27PM -0500, Jonathan Katz wrote:
> That said, while it's certainly advisable to upgrade based on having CVEs in
> a release, many upgrade patterns are determined by the CVE score[2]. For
> example, a HIGH score (7.0 - 8.9 - our highest for this release was 8.8; 3
> of them were less than 5.0) often dictates upgrading within 14-30 days of
> announcing the CVE, and lower scores having more time. This could be why
> people didn't complain, particularly because we got the announcement out 36
> hours after the release, and stated the updates would be available within
> the next week.
Makes sense. This is the discussion I wanted to have. Thanks.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
When a patient asks the doctor, "Am I going to die?", he means
"Am I going to die soon?"
