The headline changes in this release are: * A fix for the Trackback Denial-of-Service attack that is currently being seen. * Removal of areas within the code where php code in variables was evaluated. * Switched the file upload functionality to be whitelisted for all users including Admins. * Retiring of the two importers of Tag data from old plugins.
2.8.5 in CVS.
Not stable -> Closing noglsa. Thanks.
CVE-2009-3622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3622): Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP.