Jann Horn discovered that the setuid-root mount.ecryptfs_private helper
in the ecryptfs-utils would mount over any target directory that the
user owns, including a directory in procfs. A local attacker could use
this flaw to escalate his privileges.

Jann Horn discovered a vulnerability in the fuse (Filesystem in
Userspace) package in Debian. The fuse package ships an udev rule
adjusting permissions on the related /dev/cuse character device, making
it world writable.

It was discovered that specific APL RR data could trigger an INSIST
failure in apl_42.c and cause the BIND DNS server to exit, leading to a
denial-of-service.

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation or denial-of-service.

It was discovered that malicious web applications could use the
Expression Language to bypass protections of a Security Manager as
expressions were evaluated within a privileged code section.

The Qualys Security team discovered two vulnerabilities in the roaming
code of the OpenSSH client (an implementation of the SSH protocol
suite).

It was discovered that a maliciously crafted packet can crash any of
the isc-dhcp applications. This includes the DHCP client, relay, and
server application. Only IPv4 setups are affected.

Javantea discovered that pygments, a generic syntax highlighter, is
prone to a shell injection vulnerability allowing a remote attacker to
execute arbitrary code via shell metacharacters in a font name.

Several vulnerabilities have been discovered in the libpng PNG library.
The Common Vulnerabilities and Exposures project identifies the
following problems:

Crtc4L discovered a cross-site scripting vulnerability in wordpress, a
web blogging tool, allowing a remote authenticated administrator to
compromise the site.