This is a security upgrade. You can download it from the usual location at http://yawiki.com/.
Arnaud Limbourg performed a full code audit for $_GET, $_POST, and $_SERVER usage. He discovered some instances of unescaped $_SERVER values in the controller scripts (not the templates). Escaping has been applied to those instances, even in some cases where it does not appear immediately necessary. The flaws have no reported exploit in the wild, but users are strongly encouraged to upgrade regardless.
Thanks, Arnaud. 🙂