See here: http://www.joomla.org/announcements/release-news/5212-joomla-157-security-release-now-available.html Joomla page is currently down, so I can't tell more atm.
CVE-2008-4102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4102): Joomla! 1.5 before 1.5.7 initializes PHP's PRNG with a weak seed, which makes it easier for attackers to guess the pseudo-random values produced by PHP's mt_rand function, as demonstrated by guessing password reset tokens, a different vulnerability than CVE-2008-3681. CVE-2008-4103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4103): The mailto (aka com_mailto) component in Joomla! 1.5 before 1.5.7 sends e-mail messages without validating the URL, which allows remote attackers to transmit spam. CVE-2008-4104 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4104): Multiple open redirect vulnerabilities in Joomla! 1.5 before 1.5.7 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a "passed in" URL. CVE-2008-4105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4105): JRequest in Joomla! 1.5 before 1.5.7 does not sanitize variables that were set with JRequest::setVar, which allows remote attackers to conduct "variable injection" attacks and have unspecified other impact.
Added joomla-1.5.7, removed vulnerable joomla-1.5.5, -1.5.6. Unstable on all arches, masked for security reasons anyhow. Webapps done.
