Release Notes: Multiple vulnerabilities were fixed related to optimistic cross-site request forgery protection in the Form API validation, multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() which affected the Form API, OpenID and random password generation, code execution prevention using the files directory .htaccess for Apache, access bypassing for security token validation, cross-site scripting in the image and color modules, and an open redirect in the overlay module.
Release Notes: This release fixes multiple vulnerabilities due to optimistic cross-site request forgery protection, multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand(), code execution prevention, and access bypassing. To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site's .htaccess files in the files directories.
Release Notes: Only fixes for security vulnerabilities and other bugs have been committed. There are no new features. Sites are urged to upgrade immediately after reading the security announcement.
Release Notes: Holes in the XML-RPC library were fixed by replacing the library altogether.