wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature
is enabled, does not check for network-administrator privileges before
performing a network-wide activation of an installed plugin, which might
allow remote authenticated users to make unintended plugin changes by
leveraging the Administrator role.
The create_post function in wp-includes/class-wp-atom-server.php in
WordPress before 3.4.2 does not perform a capability check, which allows
remote authenticated users to bypass intended access restrictions and
publish new posts by leveraging the Contributor role and using the Atom
Publishing Protocol (aka AtomPub) feature.
Please drop 3.4.1 from tree.