While taking a look into the changelog, I got a little flashback. The most prominent security issue was in fact an old and already published one: A detailed report of multiple wordpress vulnerabilities by Mage in the russian magazine Hacker 04/09 (google translation). The current reporter has updated his website regarding the credits. The original problem was introduced with #6644 in .
This somehow reminded me to something similar with the 2.9.2 release. A difference is, that there wasn’t a trac ticket or report first, but for the current fix there was (only) some article somewhere in the web. Interestingly it took so long until it was discovered.
Probably let’s file this as User Story and an in depth review of the source code could help here (not my idea, though) as users are not reporting much.