Propagating the patches is the job of your distro's maintainers. If the patch gets not properly propagated to you then I would think about changing the distro.The only issue that was brought to my attention that I don't have a good answer for is how best to propagate patches. I mean I really don't know. Even if a fix is made, but it is not distributed then the mere announcement of this vulnerability will inform the bad guys how to get in. So propagating these security patches is critical.
distros @ openwall list before the advisory went public. There is no perfect solution here, and a lot of the current structure relies on good faith, but it's better than doing nothing.
And while there's a massive pile of patches here, it's not that massive of a hole - the primary risk is if you have users on your Linux/Unix box that you trust to run programs but not to have root on the box. This isn't a "anyone who can open a TCP connection to your box owns you now" sort of hole (at least not in any scenario we've thought of - unfortunately with lower-level library code, we don't know all the ways programs may be using it).
Kill X with fire and focus the same amount of effort in making Wayland a reality. How many man-years are wasted on patching up X, which is a technology dating back as long as most people here have been alive?
After the worst legacy stack (x) is replaced, maybe the community can get together and write a replacement for glibc, which is by this point the second most legacy&defect by design stack in use almost everywhere.
Running Debian Squeeze (oldstable) and they were available pretty quick.
@varikonniemi: Consider this comment (quoted without attribution in van Sprundel's presentation), and then consider that Wayland uses XKB, as do so many new projects:Shoot me now. And then shoot Daniels for not freeing us from XKB yet.
And then shoot anyone who volunteers to try to fix XKB, before it's too late for them too.
Wayland FAQ even acknowledges that X isn't going anywhere anytime soon ("Is wayland replacing the X server?")
It may be old technology, but it's technology that's used by everybody running a GUI on Linux, BSD or Solaris.