#853220 (Bug #72903) Administrators can now disable system info along with the related log and php info pages by setting 'disable_system_info' to true under the 'security' config. By default, system info is still accessible to authenticated admin or super level users.
#853054, #853496, #853533 (Bug #72881) The CSRF token is now passed as a POST param not a GET param. This should reduce the risk of exposure in logs, referrers, etc.
#846204, #853041 (Bug #72805) Fixed a local XSS vulnerability in error messages when posting forms in Swarm.