Why is this posted now, more than 2 weeks later? Even back then, within hours, people had publicly published working examples of remote code execution via simple single HTTP POST requests?
The Drupal Security Team decided to post a PSA today reinforcing the criticality of this bug. Most of the big sites, including all the sites hosted on popular Drupal PaaS services like Acquia Cloud and Pantheon, were updated or otherwise protected promptly when the original vulnerability was released.
Many other sites were patched within hours.
However, there's a long tail of sites still running Drupal <7.32, and all those site's owners should assume, at this point, they've been compromised. As such, this PSA gives instructions for how to avert total disaster.
As someone who was learning drupal I was wondering this. My test site came up with a friendly notice to "upgrade core". I figured I should since it seemed like a good exercise.
But trying to figure out how was not intuitive. The drupal web site was mum on the issue (you figured they post something on the site telling people to upgrade asap)
I figured it out eventually. Was disappointed how it was handled.
I recommend also subscribing to the Debian security mailing list[1], even if you're not a Debian user--they are on top of security issues that involve software in their repo (and that's a lot of software) within minutes of the advisories.
In fact, that's how I learned about most of the Drupal's core security issues (got a message in my inbox) and was able to patch them up really quickly.
It's best to follow the security announcement list. Such announcements are also posted to https://drupal.org/security and the release notes (click through from the upgrade warning).
For example: https://twitter.com/i0n1c/status/522495098630987777