Doesn't really seem responsible to post the vulnerability details to the public list like that, all necessary shaming on weak passwords aside.

I wonder if the timing on this has anything to do with Oracle's continued dismantling of the useful parts of the MySQL website.