When you are using 3rd party Drupal modules I strongly recommend signing up for the Drupal Security Announcements (the last 5 are also listed on the left side of this site).
When there is a security issue in the core of Drupal we (vbDrupal) ofcourse will try to produce an updated version ASAP.
However, we can't do such a thing for 3rd party modules. So it's adviced to sign up.

In order to sign up for these notifications you will have to log in on http://drupal.org . You should be able to reuse the account you have on this site (vbdrupal.org). Simply enter as username username@vbdrupal.org and as password the password you use on this site.
For example, if your username is on this site is JohnDoe you enter the name JohnDoe@vbdrupal.org.

After you log in you must enter a valid email address (otherwise you won't receive the announcements). You can enter this at "my account > edit > account settings"
To sign up for the annoucements check the box on "my account > edit > my newsletters"

Thanks for the advice. I've signed up based on this post.

This is a great example of why you should be a part of this newletter:

------------DRUPAL CORE - MULTIPLE CROSS SITE SCRIPTING
VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2006-024

* Project: Drupal core

* Date: 2006-Oct-18

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Cross site scripting

------------DESCRIPTION------------

Multiple XSS (cross site scripting) vulnerabilities have been discovered.

A bug in input validation and lack of output validation allows HTML and script
insertion on several pages.

Drupal's XML parser passes unescaped data to watchdog under certain
circumstances. A malicious user may execute an XSS attack via a specially
crafted RSS feed. This vulnerability exists on systems that do not use PHP's
mb_string extension (to check if mb_string is being used, navigate to
admin/settings and look under "String handling"). Disabling the aggregator
module provides an immediate workaround.

The aggregator module, profile module, and forum module do not properly escape
output of certain fields.

Note: XSS attacks may lead to administrator access if certain conditions are
met. Learn more about XSS on Wikipedia
[http://en.wikipedia.org/wiki/Cross_site_scripting].

------------VERSIONS AFFECTED------------

* Drupal 4.6.x versions before Drupal 4.6.10

* Drupal 4.7.x versions before Drupal 4.7.4

------------SOLUTION------------

* If you are running Drupal 4.6.x then upgrade to Drupal 4.6.10
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz].

* If you are running Drupal 4.7.x then upgrade to Drupal 4.7.4
[http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz].

* To patch Drupal 4.6.9 use http://drupal.org/files/sa-2006-024/4.6.9.patch
[http://drupal.org//files/sa-2006-024/4.6.9.patch].

* To patch Drupal 4.7.3 use http://drupal.org/files/sa-2006-024/4.7.3.patch
[http://drupal.org//files/sa-2006-024/4.7.3.patch].

Please note that the patches only contain changes related to this advisory, and
do not fix bugs that were solved in 4.6.10 or 4.7.4.

------------REPORTED BY------------

The XML parser vulnerability was reported by Erdem Köse.
The forum module vulnerability was reported by Jim Phlew.
The other vulnerabilities were found by members of the Drupal security team.

------------CONTACT------------

The security contact for Drupal can be reached at security at drupal.org or
using the form at [http://drupal.org/contact].

This may delay elmuerte's 4.7.3.6 release. Any way we can help, or do you just 'diff' the new patches against the vbdrupal code and incorporate?

An updated 4.6 release will be out soon (although I won't test it a lot). (Working on it right now)
An updated 4.7 release will have to wait a few more days. Already merged most of the changes but I have to resolve a few more issues and perform some testing.