Xen is very widely used by big cloud operators, principally Amazon Web Services. Xen bugs are therefore very, very valuable to criminals because if they can learn of a vulnerability they have millions of targets to attack. The Xen Project therefore cooked up new rules designed specifically to ensure that big operators get a couple of weeks in which to sort things out before world+dog is told about the bug.
Those processes weren't followed for XSA-169, as the notice of the bug sheepishly admits “The fix for this bug was publicly posted on xen-devel, before it was appreciated that there was a security problem.”
That's far from a complete breakdown in the Project's processes, but also not a good look for an effort that provides critical code to a great many people around the world.
The good news is that a patch is already available. ®