Quoting the BBC:
“In its “highly critical” announcement, Drupal’s security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should “should proceed under the assumption” that their site was compromised.”
Don’t know if the maintainers were aware of this here. Hopefully Haiku’s site isn’t affected. I guess they say part of the problem is no auto update in Drupal.