Nikolay Ermishkin from the Mail.Ru Security Team and Stewie discovered
several vulnerabilities in ImageMagick, a program suite for image
manipulation. These vulnerabilities, collectively known as ImageTragick,
are the consequence of lack of sanitization of untrusted input. An
attacker with control on the image input could, with the privileges of
the user running the application, execute code
(CVE-2016-3714), make HTTP
GET or FTP requests (CVE-2016-3718),
or delete (CVE-2016-3715), move
(CVE-2016-3716), or read
(CVE-2016-3717) local files.

Gustavo Grieco discovered that jansson, a C library for encoding,
decoding and manipulating JSON data, did not limit the recursion depth
when parsing JSON arrays and objects. This could allow remote attackers
to cause a denial of service (crash) via stack exhaustion, using crafted
JSON data.

It was discovered that libidn, the GNU library for Internationalized
Domain Names (IDNs), did not correctly handle invalid UTF-8 input,
causing an out-of-bounds read. This could allow attackers to disclose
sensitive information from an application using the libidn library.

Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail client: Multiple memory safety errors may
lead to the execution of arbitrary code or denial of service.

It was discovered that XStream, a Java library to serialize objects to
XML and back again, was susceptible to XML External Entity attacks.

Craig Small <csmall-8fiUuRrzOP0dnm+yROfE0A< at >public.gmane.org> uploaded new packages for wordpress
which fixed the following securty problems:

CVE-2016-4566 Reflected XSS in PLupload and mediaelement

For the jessie-backports distribution the problems have been fixed in
version 4.5.2+dfsg-1~bpo8+1

Rock Stevens, Andrew Ruef and Marcin Icewall Noga discovered a
heap-based buffer overflow vulnerability in the zip_read_mac_metadata
function in libarchive, a multi-format archive and compression library,
which may lead to the execution of arbitrary code if a user or automated
system is tricked into processing a specially crafted ZIP file.

Nitin Venkatesh discovered that websvn, a web viewer for Subversion
repositories, is susceptible to cross-site scripting attacks via
specially crafted file and directory names in repositories.

Several vulnerabilities were discovered in qemu, a fast processor
emulator.

Simon McVittie discovered a cross-site scripting vulnerability in the
error reporting of Ikiwiki, a wiki compiler. This update also hardens
ikiwiki’s use of imagemagick in the img plugin.