Because the WordPress developers try to hide the fact that they acted irresponsible, by writing things into their own blogs that are far from true, here a little clarification.

The remote code execution vulnerability in WordPress <= 1.5.1.3 was originally reported by someone else, not me. It got obviously fixed in their subversion tree and some hours later someone posted an exploit for this to the security mailinglist full-disclosure. I reported some (4!) days later about this in my blog, because I had also reported SQL injection holes in WordPress <= 1.5.1.3 26 days before and there was still no fix in subversion or a new updated version.

The original tarball of WordPress 1.5.2 was created at 21:06 CET on the 14th August. I downloaded it some time after when coming back home. I immediately saw that the bugs I had reported were fixed, but that the remote code execution flaw was not fixed. At 23:16 CET I sent a mail to Matt telling him about the bugs and sent him a fix. Unfortunately I sent him the wrong code and had to resend it. Matt did not understand the problem from my first mail and therefore at 2:xx CET we mailed again. According to the timestamp of the WordPress 1.5.2 announcement on wordpress.org it was written at 23:17 UTC which is 1:17 CET. This means when the announcement went public Matt had not understand the problem yet. At 5:56 CET I received a mail saying that he had fixed it. The subversion timestamp of his commit says that he commited at 5:57 CET and the replaced tarball has a timestamp from 6:02 CET.

With a bit of math you will realise that there is a difference of 9 hours between the creation of both tarballs and that there are 4 hours and 45 minutes between the announcement on wordpress.org and the creation of the fixed tarball.

When spreading the lie that the announcement was released after the tarball was fixed, they forgot that tarballs and blogpostings have timestamps in it.