Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail client: Multiple memory safety errors,
integer overflows, buffer overflows and other implementation errors may
lead to the execution of arbitrary code or denial of service.

Aris Adamantiadis discovered that libssh, a tiny C SSH library,
incorrectly generated a short ephemeral secret for the
diffie-hellman-group1 and diffie-hellman-group14 key exchange methods.
The resulting secret is 128 bits long, instead of the recommended sizes
of 1024 and 2048 bits respectively. This flaw could allow an
eavesdropper with enough resources to decrypt or intercept SSH sessions.

Andreas Schneider reported that libssh2, a SSH2 client-side library,
passes the number of bytes to a function that expects number of bits
during the SSHv2 handshake when libssh2 is to get a suitable value for
group order in the Diffie-Hellman negotiation. This weakens
significantly the handshake security, potentially allowing an
eavesdropper with enough resources to decrypt or intercept SSH sessions.

lighttpd, a small webserver, is vulnerable to the POODLE attack via
the use of SSLv3. This protocol is now disabled by default.

Jakub Palaczynski discovered that websvn, a web viewer for Subversion
repositories, does not correctly sanitize user-supplied input, which
allows a remote user to run reflected cross-site scripting attacks.

Several vulnerabilities have been discovered in the chromium web browser.

Alexander Izmailov discovered that didiwiki, a wiki implementation,
failed to correctly validate user-supplied input, thus allowing a
malicious user to access any part of the filesystem.

Stepan Golosunov discovered that xdelta3, a diff utility which works
with binary files, is affected by a buffer overflow vulnerability within
the main_get_appheader function, which may lead to the execution of
arbitrary code.

Gustavo Grieco discovered an out-of-bounds write vulnerability in cpio,
a tool for creating and extracting cpio archive files, leading to a
denial of service (application crash).

An anonymous contributor working with VeriSign iDefense Labs
discovered that libreoffice, a full-featured office productivity
suite, did not correctly handle Lotus WordPro files. This would enable
an attacker to crash the program, or execute arbitrary code, by
supplying a specially crafted LWP file.
For the oldstable distribution (wheezy), these problems have been fixed
in version 3.5.4+dfsg2-0+deb7u6.
For the stable distribution (jessie), these problems have been fixed in
version 4.3.3-2+deb8u3.
For the testing (stretch) and unstable (sid) distributions, these
problems have been fixed in version 1:5.0.5~rc1-1.
We recommend that you upgrade your libreoffice packages.