diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 4c1a34508705c2ec396e548fb571d38924ccb3e8..de2af3cab290e0bcc2391a357ddc93248ab12933 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,9 @@
 // $Id$
 
-Drupal 5.23-dev, xxxx-xx-xx
+Drupal 5.23, 2010-08-11
 -----------------------
+- Fixed security issues (File download access bypass, Comment unpublishing
+  bypass), see SA-CORE-2010-002.
 
 Drupal 5.22, 2010-03-03
 -----------------------
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 19233a572c7539a3d7a91b72b691276ed0e4a277..0cd19a0d14eb63975648898a021435acef6bcfa2 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -575,7 +575,7 @@ function comment_access($op, $comment) {
   global $user;
 
   if ($op == 'edit') {
-    return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
+    return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0 && $comment->status == COMMENT_PUBLISHED) || user_access('administer comments');
   }
 }
 
diff --git a/modules/system/system.module b/modules/system/system.module
index 2026c9197e7eb72d6a48625d6398126cb4e68135..70ccbc890aae97239c3a3531ac7bc1d59c35ffec 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.23-dev');
+define('VERSION', '5.23');
 
 /**
  * Implementation of hook_help().
diff --git a/modules/upload/upload.module b/modules/upload/upload.module
index eeb7ce9d6a24875877cf8e8538e8cdc194b42991..d7b65213cda1af3f5cecad008ccafa3452680326 100644
--- a/modules/upload/upload.module
+++ b/modules/upload/upload.module
@@ -259,9 +259,15 @@ function upload_download() {
 }
 
 function upload_file_download($file) {
-  $file = file_create_path($file);
-  $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $file);
-  if ($file = db_fetch_object($result)) {
+  $filepath = file_create_path($file);
+  $result = db_query("SELECT f.* FROM {files} f WHERE filepath = '%s'", $filepath);
+  while ($file = db_fetch_object($result)) {
+    if ($filepath !== $file->filepath) {
+      // Since some database servers sometimes use a case-insensitive
+      // comparison by default, double check that the filename is an exact
+      // match.
+      continue;
+    }
     if (user_access('view uploaded files')) {
       $node = node_load($file->nid);
       if (node_access('view', $node)) {
@@ -271,13 +277,8 @@ function upload_file_download($file) {
           'Content-Length: '. $file->filesize,
         );
       }
-      else {
-        return -1;
-      }
-    }
-    else {
-      return -1;
     }
+    return -1;
   }
 }