The author seems to indicate in comment #7 (two weeks ago) that the supplied patch works to mitigate the vulnerability. Let me know if you plan to reach out to the Horizon reviewers, or if I should do so, as they don't appear to have weighed in yet. At this point it's taken so long that we've probably missed the opportunity to avoid releasing Zed without this bug.
Given the long times between providing a fix and reviewing it so far, the Horizon team's priority for this problem seems to be very low, which is why I asked whether we should just go ahead and make it public as soon as possible, rather than spending even more time trying to coordinate supplying backported patches to downstream stakeholders in private and scheduling an advisory (which would add at least another week after all the backports are ready).
The author seems to indicate in comment #7 (two weeks ago) that the supplied patch works to mitigate the vulnerability. Let me know if you plan to reach out to the Horizon reviewers, or if I should do so, as they don't appear to have weighed in yet. At this point it's taken so long that we've probably missed the opportunity to avoid releasing Zed without this bug.
Given the long times between providing a fix and reviewing it so far, the Horizon team's priority for this problem seems to be very low, which is why I asked whether we should just go ahead and make it public as soon as possible, rather than spending even more time trying to coordinate supplying backported patches to downstream stakeholders in private and scheduling an advisory (which would add at least another week after all the backports are ready).