Jerome is refining the v3 Container SPI as he gets closer to the first formal build of the GlassFish v3 nucleus. The nucleus will include the HK2 kernel but also enough other pieces to be useful as the basis to load GFv3 containers.

Check his email and the Update Wiki page.

I was pointed to this reported "security issue" today, and wanted to say a quick word about this.

The report is invalid. None of the specified URLs are exploitable.

1. action.php: has include('./config.php'); as first line. config.php defines $DIR_LIBS.
2. media.php: same thing: included config.php first, via a fixed path.
3. xmlrpc/server.php: again, the same: includes config.php via a fixed path.
4. xmlrpc/api_metaweblog.inc.php: this one is just funny, since this file doesn't execute any code when called (it's included from elsewhere). The only thing it does is composing an array and defining a number of functions.

Including config.php as soon as possible, via a safe path, is crucial to Nucleus security: including config.php defines crucial variables (like DIR_LIBS) and bootstraps Nucleus (including security checks: that's why you'll receive a "Sorry, an error occurred" error message when trying these URLs)

The previous security issue, which led to the release of Nucleus v3.23, was possible because PLUGINADMIN.php has no reliable way of knowing where it is executing, and therefor cannot include config.php in a safe way. Instead, this file is included from plugin admin areas, which include the config file first. Should have called the file PLUGINADMIN.inc, actually.

Anyway, there's no need to worry about this report. You're only vulnarable to it if you've got an empty config.php file, and in that case, your site won't function anyway. As far as I know, Nucleus v3.23 is safe to use.