Totara 2.2.29 and 2.4.20 are both "security" releases, because they include important fixes for potential security vulnerabilities.
Here are the changelogs:
Release 2.2.29 (27th May 2014):
==================================================
Security Fixes:
MDL-45332 Fixed URL parameter type to use PARAM_URL in the repository module
MDL-43877 Fixed files from blocks in my/ were accessible to the world
MDL-43119 Added valid until dates for tokens created by login/token.php
T-12441 Fixed potential XSS vulnerability in quicklinks block
Database Upgrades:
T-11680 Fixed bug where assigning a manager to a secondary position could affect primary positions
Bug Fixes:
T-12280 Prevent deleting RPL records when deleting completion data
Release 2.4.20 (27th May 2014):
==================================================
Security Fixes:
MoodleHQ http://docs.moodle.org/dev/Moodle_2.4.10_release_notes
T-12441 Fixed potential XSS vulnerability in quicklinks block
Database Upgrades:
T-11680 Fixed bug where assigning a manager to a secondary position could affect primary positions
Bug Fixes:
T-11799 Fixed completion logic error when using grade and status in SCORM activities
T-12128 Fixed links on Windows servers for uploaded files with filenames in non-Latin alphabets
T-12449 Recover course completion criteria dates for activity completion criteria
T-12251 Fixed user properties in user_updated event when password changed
T-12153 Fixed the setting of users timecreated field when new users are created by Totara Sync
T-12313 Removed request approval button in Learning Plans while request is pending