“The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.”
In addition, WordPress 2.6.5 comes with 3 other fixes:
– prevents accidentally saving post meta information to a revision
– prevents XML-RPC from fetching incorrect post types.
– adds some user ID sanitization during bulk delete requests
WordPress released version 2.6.5 directly after 2.6.3. There never was nor will be an officiall WordPress 2.6.4. The only “version” bearing this name is a fake package released by some nice people, better-known as “hackers”. So just try to avoid such a version, were it to come your way.