Comment 2 for bug 918608

Note that this issue raises a new vulnerability process question: should we release advisories for a project that was never officially released ? (My take on it is that it's sufficiently serious for us to do an advisory even if no "official" version exists)