Another security release – here’s what it fixes:

• Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role. (r17397, r17406, r17412)
• Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role. (r17401)
• Fix potential information disclosure of posts through the media uploader. Affects users of the Author role. (r17393)
• Enhancement: Force HTML filtering on comment text in the admin (r17400)
• Enhancement: Harden check_admin_referer() when called without arguments, which plugins should avoid. (r17387)
• Update the license to GPLv2 (or later) and update copyright information for the KSES library.

Go forth, and update!