To accompany the official release announcement, I would like to point out few of the most important changes in this release:
.htaccess change that prevents looking at your extensions XML files - while this was not a security hole by itself, it kept open doors for hackers to see what version of particular extension you are running. To put this fix into effect you have to uncomment (remove #) from corresponding section (lines 35-39) in htaccess.txt and rename htaccess.txt to .htaccess (or copy/paste that part into your existing .htaccess, must be inserted at the same place).
TEST before you put this on live site - if your site is serving publicly accessible XML than this is not directly usable for you - you would need to make exceptions for those files or use regex based rules for blocking. Also not usable for those without apache/mod_rewrite.
PHP 5.3.x compatibility - Joomla runs fine on PHP 5.3.x now (except of OpenID library)
Core components caching - com_weblinks and com_contact are using cache for the first time. Also com_content view cache comes with more refined caching logic, so that caching is disabled only where it needs to be (e.g. for users using filters). This should result in speed increases on high-traffic sites.
Other notable bugfixes:
- TinyMCE is now working properly - all remaining bugs created by the recent TinyMCE upgrade should be gone now
- Mootols were upgraded to 1.1.2 to ensure future compatibility with Firefox 3.6
For all that would like to enable access to XML inside their extensions, one way would be to create .htaccess in each directory that contains .xml files and put reverse rule in it (or in a directory above those directories that need exceptions - it applies to current directory and all directories bellow):
<Files ~ "\.xml$">
Allow from all
or even more explicit rule, limited only to myfile.xml:
Allow from all