This release is focused primarily on fixing bugs and regressions, plus some minor tweaks that should not affect sites. Presuming there are no regressions from this, this will be released as v7.x-3.16 in two weeks.
The security issue in views is caused by various places in the views UI where a string is not sanitized,
because it has been assumed to be static and by commiters, though you can change some of these strings using other administrative permissions. SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
#82088 by grisendo: Add sanitation in various places in the views UI
#1920690 by jnettik: Added Allow for inline to be configured for jump menus.
#1551534 by bcn: Added Allow a button in an exposed forms to trigger ajax.
#1914024 by peximo | heyyo: Fixed Title-overriden term name not translated on a taxonomy overriden views page.
#1889198 by Pedro Lozano: Fixed Performance problem in _views_fetch_data(), multiple unnecessary cache rebuilds.
#1496418 by dawehner, hass, webflo: Fixed Views: Don't change capitalization of translatable strings with CSS.
#1852116 by Les Lim, Chris Burge: Added Backport from D8: Customizable true/false Views output for booleans.
WARNING: Maintainers are working to fix a bug that was found after the 7.x-3.4 release that causes some Views pages, blocks, attachments and feeds to disappear after upgrading from 3.3 to 3.4. Stay informed of progress at the following link: 7.x-3.4 Upgrade is cancelling boolean operator settings. It is recommended to wait to upgrade until this bug has been fixed.