Saw this on Freshmeat today:
Changes [in the new version]: A security flaw allowed authentication to be bypassed, allowing arbitrary code execution. This was fixed. JDBC and JID optimizations were done.
(Emphasis mine).
Wait, really? rock-solid security != arbitrary code execution, last time I checked.