* Vulnerability one - remote code execution possibility through json_decode implementation in the block reaction. This update removes the implementation in the block reaction and you will need to ensure your version of PHP included a json_decode function before applying.
* Vulnerability two - insufficient access control for ajax rendering of a block. The token based system has been removed. A new permission has been added should the need arise to give users access to the ajax rendering of blocks without administering contexts and a hook has been added to allow for fine grained access control should it be desired. See the context.api.php file for hook details.