The MozillaZine article has more:
Paul and mikx reported the vulnerability to the Mozilla Foundation and bug 292691 was filed on Monday 2nd May. In line with the Mozilla security bugs policy, access to the bug report was restricted to members of the security team. However, somebody else found out and leaked the details of the exploit. […] In a message to the Full Disclosure mailing list, Paul criticised the individual who leaked the details of the Firefox code execution exploit, condemning his or her actions as “inconsiderate” and “irresponsible”.
Indeed. Whoever leaked the details just put several million users at risk unnecessarily. The specifics of the flaw would have been released in a few days anyway once 1.0.4 was released – couldn’t they have waited for the official disclosure?
I could of course rant at all the other security sites with the details of this flaw – Secunia included – but the cat’s out of the bag now. Alex Bishop’s analysis of one security report is interesting reading.