The security issue was one that opened up the doors for cross-site scripting (XSS) attacks. jQuery uses a regular expression in the jQuery.htmlPrefilter method that made sure that all closing tags were XHTML-compliant when they were passed to methods. According to the jQuery team, there were a few edge cases where this process led to XSS vulnerabilities.
According to the jQuery team, it is possible that the fix to this vulnerability will require developers to rewrite their code. The team noted that if a developer really needs the old behavior, they can restore the previous version of jQuery.htmlPrefilter by using the jQuery migrate plugin.
This release also adds the two methods that are intended to replace positional selectors, which are currently being deprecated and will be removed in jQuery 4.0. The .even() and .odd() methods will replace the :even and :odd selectors.
Another minor feature in this release is the ability to add context to jQuery.globalEval.
According to the team, this release also fixed a bug in the Ajax script transport, improved performance in Sizzle, added support for massive arrays in jQuery map, fixed syntax errors in AMD modules, and more.
More information is available here.