These releases address the following security issues:
- It was possible for users in the Group Admin and User Admin groups to become a member of the Root group (reported by Samuel M. Stone, bug #135).
- Being admin for a certain area (e.g. Story Admin for stories) made it possible to delete all objects in that area (e.g. stories) even if the user was not supposed to have access to them, provided the id of the object was known.
- It was possible to delete other people's personal events if you knew the event ID.
- It was possible to browse through the comments of a story even if the user did not have access to the actual story (reported by Peter Roozemaal).
- Due to an XSS issue, it was possible to change someone's account settings (including the password) if you got them to click on a specially crafted link (reported by Jelmer, fix suggested by Vincent Furia).
- The comment display suffered from the possibility of an SQL injection (reported by Jelmer).
As usual, there's an upgrade[*1] and complete tarball[*2] for 1.3.8-1sr4. The 1.3.7sr5 upgrade[*3] is only available as an upgrade tarball and requires 1.3.7sr4.
Please make sure you're picking the correct upgrade file. Looking through some of the forum posts reporting problems after upgrades, it looks like some of them have been caused by applying a 1.3.7 upgrade on a 1.3.8 install. Please don't let the digit after the "sr" confuse you - it's 1.3.7sr5, but 1.3.8-1sr4.