Not sure if this is just a server config issue on our sites or a general core issue.

STR:

• Visit plugins.textpattern.com (for example).
• Click "Forgot Password".
• Enter your username and get it to send a reset request.

View the reset email. Note the "You have until..." date is in the past which means the token has already expired, so it's not possible to reset the password. You get an "Invalid Token" response after attempting it.

Temporary kludge: perhaps extend the RESET_EXPIRY_MINUTES value to something greater than the server timezone offset in config.php:

define('RESET_EXPIRY_MINUTES', '360'); // 6 hours

I suspect safe_strftime() is not being invoked properly to create the token datestamp, or it is working but is injecting the wrong values into the txp_token table because some conversion is taking place between client/server and database.