I downloaded latest.tar.gz and installed today, Aug 8 2008. When users click the link to reset passwords, the email they receive looks like this:
http://blog.domain.com/wp-login.php?action=rp=FrjOZvBYuINqmcz7L3Bu
Note that the name of the "key" parameter is missing -- there should be an "&key" before the second equals sign.
I fixed it by changing this line in wp-login.php:
$message .= 'http://' . trailingslashit( $current_site->domain . $current_site->path ) . "wp-login.php?action=rp&key=$key\r\n";
to:
$message .= 'http://' . trailingslashit($current_site->domain . $current_site->path ) . "wp-login.php?action=rp&a
mp;key=$key\r\n";
(I replaced &key
with &key
).