The security issue in views is caused by various places in the views UI where a string is not sanitized,
because it has been assumed to be static and by commiters, though you can change some of these strings using other administrative permissions. SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
#82088 by grisendo: Add sanitation in various places in the views UI
#1920690 by jnettik: Added Allow for inline to be configured for jump menus.
#1551534 by bcn: Added Allow a button in an exposed forms to trigger ajax.
#1914024 by peximo | heyyo: Fixed Title-overriden term name not translated on a taxonomy overriden views page.
#1889198 by Pedro Lozano: Fixed Performance problem in _views_fetch_data(), multiple unnecessary cache rebuilds.
#1496418 by dawehner, hass, webflo: Fixed Views: Don't change capitalization of translatable strings with CSS.
#1852116 by Les Lim, Chris Burge: Added Backport from D8: Customizable true/false Views output for booleans.
WARNING: Maintainers are working to fix a bug that was found after the 7.x-3.4 release that causes some Views pages, blocks, attachments and feeds to disappear after upgrading from 3.3 to 3.4. Stay informed of progress at the following link: 7.x-3.4 Upgrade is cancelling boolean operator settings. It is recommended to wait to upgrade until this bug has been fixed.
Hopefully this will be more or less the last big step before a release.
Not this release fixes a security problem, which can be seen as critical
The Views module is useful for creating lists of items in Drupal sites. Some filters incorrectly used Drupal's built-in database api, so they didn't escaped some arguments correctly. This vulnerability is mitigated by the fact that a site must have a view with this filter to be enabled in order to be exploited.
This version of views fixes some upcoming bugs which were caused by the latest update to 6.x-3.0-rc2
Most important to mention is the replacement-patterns bug, which caused problems if you used flag for example.