https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002148.html
So in the link posted above:
not on the following versions of either of these implementations (these
versions are fully patched), then you need to upgrade now to avoid risk of
funds loss:
* lnd v0.7.1 -- anything 0.7 and below is vulnerable
* c-lightning v0.7.1 -- anything 0.7 and below is vulnerable
* eclair v0.3.1 -- anything 0.3 and below is vulnerable
But in the actual "release" of the vulnerability (It had been discussed for a while on some hacker sites and at DefCon)
https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-September/002174.html
They put this in the timeline:
While having this in the text above it:
was unlikely to be discovered by a malicious party before being fixed, it did
provide an opportunity to test communications and methods of upgrade across
the entire lightning ecosystem.
That's some really good doublethink.
-Dave