It was discovered that the web-based administration interface in the
Horde Application Framework did not guard against Cross-Site Request
Forgery (CSRF) attacks. As a result, other, malicious web pages could
cause Horde applications to perform actions as the Horde user.

It was discovered that the code to validate level 2 page table entries
is bypassed when certain conditions are satisfied. A malicious PV guest
administrator can take advantage of this flaw to gain privileges via a
crafted superpage mapping.

Security support for elasticsearch in jessie is hereby discontinued. The
project no longer releases information on fixed security issues which
allow backporting them to released versions of Debian and actively
discourages from doing so.

Several vulnerabilities were discovered in the Network Time Protocol
daemon and utility programs:

John Stumpo discovered that OpenAFS, a distributed file system, does
not fully initialize certain network packets before transmitting them.
This can lead to a disclosure of the plaintext of previously processed
packets.

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.22. Please see the MariaDB 10.0 Release Notes for further
details:

Two vulnerabilities have been found in unzip, a de-archiver for .zip
files. The Common Vulnerabilities and Exposures project identifies the
following problems:

Several vulnerabilities were discovered in WordPress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following problems:

Two vulnerabilities have been discovered in VirtualBox, an x86
virtualisation solution.

Several issues have been fixed in phpMyAdmin, the web administration
tool for MySQL.