I fully appreciate that everyone involved here does so on a volunteer and best efforts basis. That said ...
For the boards that I operate we've been well served by the policy to use only official phpBB releases and officially released extensions, so this precludes applying fixes directly from GitHub as they're not officially sanctioned phpBB releases.
Thus the essence of the problem for me is the known and now publicized security issue that affects phpBB 3.2.3 (and I presume lower) and the lack of clarity of whether the extensions that our boards use will be affected by the issue flagged in the first post of this topic. All my offline testing of the update has gone well but there is no way to know if this known issue will show up if we update our production board(s).
The known issue has been flagged as Major, but I would suggest based on what we know so far it probably could be considered "Blocking", I know that is how it is viewed for the boards I run.
In my specific case the only extension that seems like it might be affected is one of the Official extensions
from the phpBB team, so I was hopeful there would be an answer from the developers on whether or not the extension was affected by this known issue. That's the only way I'd be comfortable moving forward to phpBB 3.2.4 based on the information that has been made available so far.
Normal people… believe that if it ain’t broke, don’t fix it. Engineers believe that if it ain’t broke, it doesn’t have enough features yet. – Scott Adams