Several vulnerabilities were discovered in qemu, a fast processor
emulator.

It was discovered that the International Components for Unicode (ICU)
library mishandles converter names starting with x-, which allows
remote attackers to cause a denial of service (read of uninitialized
memory) or possibly have unspecified other impact via a crafted file.

Several vulnerabilities were found in PHP, a general-purpose scripting
language commonly used for web application development.

This update fixes an unspecified security issue in VirtualBox related to
guests using bridged networking via WiFi. Oracle no longer provides
information on specific security vulnerabilities in VirtualBox. To still
support users of the already released Debian releases we’ve decided to
update these to the respective 4.1.40 and 4.3.30 bugfix releases.

It was discovered that vzctl, a set of control tools for the OpenVZ
server virtualisation solution, determined the storage layout of
containers based on the presence of an XML file inside the container.
An attacker with local root privileges in a simfs-based container
could gain control over ploop-based containers. Further information on
the prerequisites of such an attack can be found at
src.openvz.org.

Denis Andzakovic discovered that OpenLDAP, a free implementation of the
Lightweight Directory Access Protocol, does not properly handle BER
data. An unauthenticated remote attacker can use this flaw to cause a
denial of service (slapd daemon crash) via a specially crafted packet.

Florian Weimer of Red Hat Product Security discovered that libvdpau, the
VDPAU wrapper library, did not properly validate environment variables,
allowing local attackers to gain additional privileges.

Frediano Ziglio of Red Hat discovered a race condition flaw in spice’s
worker_update_monitors_config() function, leading to a heap-based memory
corruption. A malicious user in a guest can take advantage of this flaw
to cause a denial of service (QEMU process crash) or, potentially
execute arbitrary code on the host with the privileges of the hosting
QEMU process.

Qinghao Tang of QIHU 360 discovered a double free flaw in OpenSLP, an
implementation of the IETF Service Location Protocol. This could allow
remote attackers to cause a denial of service (crash).

A vulnerability was found in screen causing a stack overflow which
results in crashing the screen server process, resulting in denial
of service.