I am not even sure that we should be posting about new releases any longer, with the 2.0 branch of WordPress dead, everyone should be running a version of WordPress that notifies you of new releases and so this will probably be the last point release that I talk about on here unless you, the readers, would prefer it otherwise.
For those not in the know, it seems like another security issue has been found. This one is more of an annoyance than a true security issue, but it is worth upgrading for.
Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
Check it out on the WordPress.org Blog if you need more details about the fix.