For security reasons, we don't want to reveal too much of what's going on until everyone has had a chance to upgrade, but we will say that you can temporarily make your site immune to the vulnerability by removing the symlinks to search.pl and submit.pl.
We are urging all sites which are using a version of the code from CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using the 2.2.6 tarball, the latest official release, do not need to upgrade (the issue is not present there).
(We're overhauling the section and topic system, replacing it with something more flexible.)
We feel pretty good about the stability of _151, it's been running on Slashdot for a couple of weeks and there are no real problems.
The big change, committed shortly after _151, is the switch from users.pl to login.pl for authentication and related operations. That seems to be working but it hasn't been tested enough to merit an R_ yet. In fact, this may be the last R_ tag that we do for a while, since there are big changes that will be committed in the weeks to come which will put the damper on R'ing.
Here's the CVS tree if you want to browse, and here are the instructions to download:
$ cvs -d:pserver:email@example.com:/cvsroot/ slashcode login CVS password: (hit return, there is no password) $ cvs -d:pserver:firstname.lastname@example.org:/cvsroot/ slashcode co slash (much activity) $ cd slash $ cvs update -r R_2_3_0_151 -dP