It's ugly but I updated just a few minutes ago, although the patch has been available for 16 hours. The thing is, `drush up` did not show available updates for me yesterday, and I was hesitating between going to bed and manually applying a patch. Finally, I went to bed.
It's a pity Drupal infrastructure was not up to the task of distributing updates to everyone at the moment of announcement.
what you were probably missing is drush pm-refresh.
drush updates its information about the latest available versions only every few hours. Which... in times of urgent severe vulns that need to be patched immediately is probably something they should reconsider.
Similarly, if you use Composer, it can cache things for up to 10-15 minutes. Also, Drupal.org’s subtree split process takes 5-10 minutes to push out a new core update to Packagist, so if you wait for the update using Composer it could be 20-30 minutes.
The most reliable method is to use Git, Drush, or the patch plugin with Composer to apply the patch immediately, and push it out to your servers. Then update to the latest core version and push that out to your servers once it’s ready.
The security team usually links to the raw patch file for each new version in the CVE.
It's a pity Drupal infrastructure was not up to the task of distributing updates to everyone at the moment of announcement.