It is weird, two of them (CVE-2015-0288 and CVE-2015-0209) are listed here also with links to patches, https://security-tracker.debian.org/tracker/source-package/o...
Why have embargo on the vulnerabilities if you publish patches anyway? Which makes me think that the patches has not been committed yet and that the embargoed are different ones than these.