Why mark 4.2.8 as a emergency security update?

[SilverBut]

From the release notes I can see the primary change is about disabling open registration by default, which looks like a feature update more than a security one.

I understand spam is an urgent problem at this time. However since the update will not be automatically applied, those unmaintained sites will not get this update. If those administrators got the update, they will naturally notice the spams.

I would expect an update means there is an ongoing exploit being used in the wild, and the update is emergency because even a good instance admin would require this patch to solve the root problem. I think this version is not an emergency one. An incorrectly marked update is some story like "wolf is coming" for me, and I think it's more dangerous than a real bug.

Is there any detailed reason or guidelines on marking emergency updates?

[ClearlyClaire]

The 4.2.8 upgrade is not itself marked as urgent, but it will show up as urgent on your server if you are on a version older than 4.2.7, as 4.2.7 is urgent, and the link is always to the latest patch release for your branch.