Release Notes: This RC fixes a cross-site scripting bug and multiple other minor bugs, most notably in the installer and the LDAP backend.
Release Notes: This release fixes two bugs which allowed illegitimate users to view pages for which they had no read permission. These bugs only affected users using the ACL feature. Some smaller bugs have been fixed, also.
Release Notes: This is a security update for the experimental ACL feature (disabled by default). By adding a wrong parameter to the URL an attacker can bypass the ACL control and gain read access to an otherwise hidden document.