> Should someone from the core team perhaps get in contact with this guy
> and ask if he could get in contact with the development team before
> publicizing any further security holes? AFAIK that is standard
> operating procedure in most cases...
>
> Second, it might be worth pushing a 7.2.2 release containing the fix
> for this bug, as well as the datetime problem. If that sounds
> reasonable to the people who have to do the most work on a new release
> (e.g. Marc), I can volunteer to backport a fix for the datetime
> problem.
It'd be better to contact the dude and get all his bugs out of him, fix them
all and issue a 7.2.2 with all the fixes.
I think this is now essential - people will be using 7.2 series for ages
even after the 7.3 release...
Chris