WordPress has identified a number of security hardening changes that were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.
The headline changes in this release are:
* A fix for the Trackback Denial-of-Service attack that is currently being seen.
* Removal of areas within the code where php code in variables was evaluated.
* Switched the file upload functionality to be whitelisted for all users including Admins.
* Retiring of the two importers of Tag data from old plugins.