Special thanks go to Sebastian Bergmann for identifying the vulnerability with the installation process, and our own Geoffrey Snedders for identifying and fixing a cross site forgery request! See the 0.6.2 release notes for full details of the fixes.
The Habari Community is dedicated to making Habari as safe and as secure as possible. If you believe you've identified a security vulnerability, please contact firstname.lastname@example.org.
UPDATE: A small typo slipped past our review process, such that the password reset link reads "Forgot Your Passwor". Note the missing "d". Ticket 970 has been opened, and will be resolved in the next release of Habari. Since the typo is not a security or data loss issue, it does not meet our criteria for a new release; and we felt that sneaking the fix into the 0.6.2 release after it had been prepared was a bad precedent to set.