This release is exactly the same as 6.x-1.14 except that it fixes issue #2324925: ShortURL and ShURLy shorteners broke in 6.x-1.14. If you weren't using the ShortURL or ShURLy modules, no changes in this release will affect you.
The reason those modules broke is because 6.x-1.14 started encoding URLs before shortening them, which makes sense when sending the URL as data to remote URL shorteners, but not when sending a URL directly to a local shortener. 6.x-1.15 makes an exception for local shorteners.
The 6.x versions prior to this release use a "Location: " header to redirect to the favicon path which is set in the admin settings for the theme. This uses the header() function from php rather than Drupal's header which is vulnerable to a header injection exploit.
These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "administer theme".
This is only a problem for web sites running PHP 5.1 and below which is unsupported so no security advisory has been published.