I just received the July 23rd announcement of session fixation from the security mailing list.
------------SA-2008-046 - DRUPAL CORE - SESSION FIXATION------------
* Advisory ID: DRUPAL-SA-2008-046 ... * Date: 2008-July-23
... but the headers say
Received: from www1.drupal.org (www1.drupal.org [140.211.166.61]) by fraxinus.osuosl.org (Postfix) with ESMTP id F241F3C700 for mail@webthatworks.it; Thu, 31 Jul 2008 06:03:15 +0000 (UTC) Received: by www1.drupal.org (Postfix, from userid 81) id F072D16B4E8; Thu, 31 Jul 2008 06:03:15 +0000 (UTC)
fortunately I upgraded much before... but the email was actually sent today.