If a normal bug depends on a security bug, anyone can CC to the dependend bug. On changes to the status of the security bug, everyone CCed to the depending bug will get a notification including the summary of the security bug. Expected: The summary should only be disclosed to authorised persons, to all other the bug summary should not shown in the notification mail.
You didn't mention what date you pulled 2.15 - this should be fixed in RC1. *** This bug has been marked as a duplicate of 99608 ***
I saw this today at bugzilla.mozilla.org (bug 143200 depending on 143369). I don't know, which build they use.
Yes bmo is older than the fix for this bug.