From the Fedora advisory:
* Function names in diff headers are no longer rendered as HTML.
* If a user’s full name contained HTML, the Submitters list would render it as HTML, without
escaping it. This was an XSS vulnerability.
* The default Apache configuration is now more strict with how it serves up file attachments.
This does not apply to existing installations. See
* Uploaded files are now renamed to include a hash, preventing users from uploading malicious
filenames, and making filenames unguessable.
* Recaptcha support has been updated to use the new URLs provided by Google.