WordPress 3.5.2 just shipped and addresses a few security issues one of which was brought up around June 7th. The release also contains a few bug fixes as well. It’s been awhile since we’ve seen a dedicated security release but I guess it’s time to start a new streak.
Also of note is that the WordPress team has decided to fork the SWFUpload project so that they could maintain it with security fixes. The Make.WordPress.core post strongly emphasizes that developers do not use SWFUpload but if you must, to use their fork. It’s interesting that WordPress does not use this specific library but it continues to be shipped with WordPress because of plugins not being updated to use Plupload.
Last but not least, some information geared towards everyone.
We do not condone the use of abandonware. We only wish to make the web a better place by ensuring that developers have access to a secure version of SWFUpload, when the only alternative may be to use insecure code.
If you think you have found a vulnerability in this fork of SWFUpload, we appreciate your help in disclosing it to us responsibly. Please email reports of security vulnerabilities to swfupload-security AT wordpress.org. These reports will be reviewed by the WordPress security team and by security researchers contributing to this project, including Neal and Szymon.
If you’re testing WordPress, WordPress 3.6 Beta 4 includes all of the fixes in 3.5.2.