This is a security upgrade. You can download it from the usual location at

Arnaud Limbourg performed a full code audit for $_GET, $_POST, and $_SERVER usage. He discovered some instances of unescaped $_SERVER values in the controller scripts (not the templates). Escaping has been applied to those instances, even in some cases where it does not appear immediately necessary. The flaws have no reported exploit in the wild, but users are strongly encouraged to upgrade regardless.

Thanks, Arnaud. :-)

Are you stuck with a legacy PHP application? You should buy my book because it gives you a step-by-step guide to improving you codebase, all while keeping it running the whole time.