Among the highlights, these two releases resolve CVE-2014-0097 which allows a malicious user to impersonate a user with an empty password if ALL of the following hold true:
- The application is using ActiveDirectoryLdapAuthenticator
- The directory allows anonymous binds (not recommended)
NOTE: This does NOT impact users of LdapAuthenticationProvider or
For full details on the releases, please refer to the previously mentioned change logs.