Updates should be seamless for the vast majority of people, otherwise make sure that all plugins are also updated to their most recent version, especially admin-side plugins.

Download

Changes since 4.0.5

• Safer use of txp_login cookie + nonce (note: users are logged out after upgrading!)
• Fixed XSS vulnerability (thanks DSecRG) and input validation in setup script.
• Fixed XSS vulnerability and parameter value overflow in comments preview (thanks DSecRG)
• Added missing escape in SQL query (admin side)
• Fixed local file include vulnerability (publisher only) in textpattern/index.php (thanks DSecRG and Victor)
• Fixed escape request method as shown on logs tab (thanks Victor)
• New translations: Croatian, Korean, Português (Brasil), Serbian (Latin + Cyrillic), Turkish and Vietnamese
• New tags: <txp:if_search_results> and <txp:search_term />.
• <txp:thumbnail /> allows non-JS links to the full-size image
• <txp:article_custom /> allows comma-separated lists for category, section and author attributes (thanks Manfre)
• <txp:linklist /> allows comma-separated list for category attribute
• <txp:file_download_list /> allows comma-separated list for category attribute
• <txp:recent_articles /> allows comma-separated lists for category and section attribute
• <txp:related_articles /> allows comma-separated list for section attribute
• <txp:search_result_excerpt /> allows a custom breakattribute defaulting to an ellipsis
• Several tags have been deprecated and will be replaced automatically during the upgrade: <txp:sitename />, <txp:request_uri />, <txp:s />, <txp:c />, <txp:q />, <txp:id />, <txp:pg />
• Added ‘password reset’ functionality (with confirmation email) on the login screen
• Update to jQuery 1.2.2 as a default JavaScript library
• Fixed Textile list incompatibility with PHP 5.2.4 (and higher)
• Fixed http-auth when using Lighttpd or (mostly) Apache + fastCGI
• Fixed HTTPS protocol check for ISAPI with IIS
• Fixed use of article tags on a sticky article page
• Speed improvements (less SQL queries needed)
• Pages, sections and styles can no longer be accidentally deleted if they are used on other tabs
• Corrections in the tag builder
• Refrain from showing sticky articles from non-frontpage sections in search results
• Enable separate search section for messy URL mode
• Plugin developers should note that using add_privs() for admin-side plugins is now required (used to be optional for publisher-only plugins) and the included HISTORY.txt contains other useful information.
• Many, many minor improvements

Further reading

Forum thread for the announcement.