Not all of them. One was a use after free, which isn't related to buffer overflows. Two other ones are not clear what they were caused by:

By Mariusz Mlynski:

Against Mozilla Firefox, two vulnerabilities, one allowing privilege escalation within the browser and one bypassing browser security measures.

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2O...

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2O...

Whoops, thanks. That one is also not possible in Rust, so my point still stands. ;)

Use-after-free is also prevented by Rust.

Mozilla's post from the March Who's Hiring thread:

"Servo is a new web browser engine. It is designed to be more memory safe (far and away the #1 cause of browser engine security bugs!) through use of the new Rust programming language"

They're trying. They're on it, you know? They need more talent sent there way I suppose.

"To be very clear: Servo is a research project. It is not aimed to replace Gecko. It gives us the opportunity to experiment with new approaches, new patterns and new technologies, like Rust, another research project we are working on." (Emphasized in original)

http://paulrouget.com/e/servo/

Any idea when this will be applicable to real world Firefox?

The party line from Mozilla is that Servo will never replace Gecko, so... never?

That is what I have read. When I saw your post I thought/hoped there was a new development.