You shouldn't think of this as being delayed; they are providing advance notice of a serious vulnerability being patched so that those using it can update ASAP.
I meant delayed in the sense that if a patch is available, and fixes anything other than a trivial problem, it should be released as soon as is practicable (appreciating that there may be dependencies they wish to synchronise with, or in this case, trying to mitigate the obvious risks associated with the immediate definition of the exploit). Obviously I'm not limiting myself to gitlab patches here.
Appreciate the heads-up - especially for people with an unfortunate combination of highly exposed systems and inconvenient timezones. : )
