Drupal Association members fund grants that make connections all over the world.
This release of Context addresses two security vulnerabilities and a bug introduced in rc1.
* Vulnerability one - remote code execution possibility through json_decode implementation in the block reaction. In practical use this vulnerability should not be executable as the native PHP json_decode function should be getting used instead. This update removes the implementation in the block reaction.
* Vulnerability two - insufficient access control for ajax rendering of a block. The token based system has been removed. Users which have administer contexts permissions will have access to all blocks, a new permission has been added should the need arise to give users access to the ajax rendering of blocks without administering contexts and a hook has been added to allow for fine grained access control should it be desired. See the context.api.php file for hook details.
* Issue by Peacog, derekw: Trying to get property of non-object in context_entity_prepare_view()