Oh, the crap is flying here. Tim and others, re disclosure.
For the benefit of Tim and others:
yes, this case is slightly unusual - because there was public disclosure before the bug was fixed (albeit by a couple of days; most distributors had official updates available Tuesday).
Yes, Tim, we have a perfectly mature private disclosure system for Linux security issues. There is an established process whereby serious security issues are privately disclosed by security researchers to other security researchers, the developers of the affected component, and distributors.
The issue is then verified, fixed, the fix is tested, and the public disclosure is made at the same time as the patches are made available by the upstream developers and by distributors.
In this case, the issue leaked to the public slightly prematurely, no-one knows how yet, AFAIK. Usually, there would be zero window between the public disclosure of the vulnerability, and the availability of official updates.
Usually, security researchers only break this process when they don't believe the issue is being worked on sufficiently urgently, which isn't ever the case for kernel security issues, which are always handled as a very high priority by the kernel developers.
(Compare to Microsoft's "once a month, you get to be slightly secure!" policy).
And for the most recent AC, they *really* ought to be using separate virtual machines for each user in a hosting setup. Or at least chroot jails. As someone earlier pointed out. This is at least 60% the fault of bad setup on Claranet's part (as most compromises usually are, for any OS).