Drupal reports:
Mail header injection vulnerability.
Linefeeds and carriage returns were not being stripped from
email headers, raising the possibility of bogus headers
being inserted into outgoing email.
This could lead to Drupal sites being used to send unwanted
email.
Session fixation vulnerability.
If someone creates a clever enough URL and convinces you to
click on it, and you later log in but you do not log off
then the attacker may be able to impersonate you.
XSS vulnerabilities.
Some user input sanity checking was missing. This could
lead to possible cross-site scripting (XSS) attacks.
XSS can lead to user tracking and theft of accounts and
services.
Security bypass in menu.module.
If you use menu.module to create a menu item, the page you
point to will be accessible to all, even if it is an admin
page.