Nick Wellnhofer discovered that the xsltFormatNumberConversion function
in libxslt, an XSLT processing runtime library, does not properly check
for a zero byte terminating the pattern string. This flaw can be
exploited to leak a couple of bytes after the buffer that holds the
pattern string.

Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in breakouts
of the Java sandbox or denial of service.

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.53, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle’s Critical
Patch Update advisory for further details:

Hartmut Goebel discovered that MAT, a toolkit to anonymise/remove
metadata from files did not remove metadata from images embededed in PDF
documents.

Several vulnerabilities were discovered in cURL, an URL transfer library:

Aleksandar Nikolic of Cisco Talos discovered several integer overflow
vulnerabilities in memcached, a high-performance memory object caching
system. A remote attacker can take advantage of these flaws to cause a
denial of service (daemon crash), or potentially to execute arbitrary
code.

Harry Sintonen discovered that GNU tar does not properly handle member
names containing ‘..’, thus allowing an attacker to bypass the path
names specified on the command line and replace files and directories in
the target directory.

Tony Finch and Marco Davids reported an assertion failure in BIND, a
DNS server implementation, which causes the server process to
terminate. This denial-of-service vulnerability is related to a
defect in the processing of responses with DNAME records from
authoritative servers and primarily affects recursive resolvers.

Dawid Golunski reported the nginx web server packages in Debian
suffered from a privilege escalation vulnerability (www-data to root)
due to the way log files are handled. This security update changes
ownership of the /var/log/nginx directory root. In addition,
/var/log/nginx has to be made accessible to local users, and local
users may be able to read the log files themselves local until the
next logrotate invocation.

Upstream support for the 4.3 release series has ended and since no
information is available which would allow backports of isolated
security fixes, security support for virtualbox in jessie needed to be
ended as well.