Drupal Security Team reports:
CVE-2019-10909: Escape validation messages in the PHP templating engine.
CVE-2019-10910: Check service IDs are valid.
CVE-2019-10911: Add a separator in the remember me cookie hash.
jQuery 3.4.0 includes a fix for some unintended behavior when using
jQuery.extend(true, {}, ...). If an unsanitized source object contained
an enumerable __proto__ property, it could extend the native Object.prototype.
This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous
jQuery versions.
It's possible that this vulnerability is exploitable with some Drupal modules.
As a precaution, this Drupal security release backports the fix to jQuery.extend(),
without making any other changes to the jQuery version that is included in
Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site
via some other module such as jQuery Update.