Charlie Smurthwaite of aTech Media discovered a flaw in HAProxy, a fast
and reliable load balancing reverse proxy, when HTTP pipelining is used.
A client can take advantage of this flaw to cause data corruption and
retrieve uninitialized memory contents that exhibit data from a past
request or session.

Multiple security issues have been found in Iceweasel, Debian’s version
of the Mozilla Firefox web browser: Multiple memory safety errors,
use-after-frees and other implementation errors may lead to the
execution of arbitrary code or denial of service. This update also
addresses a vulnerability in DHE key processing commonly known as
the LogJam vulnerability.

Johan Olofsson discovered an authentication bypass vulnerability in
Stunnel, a program designed to work as an universal SSL tunnel for
network daemons. When Stunnel in server mode is used with the redirect
option and certificate-based authentication is enabled with verify = 2
or higher, then only the initial connection is redirected to the hosts
specified with redirect. This allows a remote attacker to bypass
authentication.

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a
XXE/XEE attack. When processing a WebDAV request body containing XML,
the XML parser could be instructed to read content from network
resources accessible to the host, identified by URI schemes such as
http(s) or file. Depending on the WebDAV request, this could not
only be used to trigger internal network requests, but might also be
used to insert said content into the request, potentially exposing it to
the attacker and others.

It was discovered that unattended-upgrades, a script for automatic
installation of security upgrades, did not properly authenticate
downloaded packages when the force-confold or force-confnew dpkg options
were enabled via the DPkg::Options::* apt configuration.

Evgeny Sidorov discovered that libcrypto++, a general purpose C++
cryptographic library, did not properly implement blinding to mask
private key operations for the Rabin-Williams digital signature
algorithm. This could allow remote attackers to mount a timing attack
and retrieve the user’s private key.

Several vulnerabilities (cross-site scripting and SQL injection) have
been discovered in Cacti, a web interface for graphing of monitoring
systems.

Multiple vulnerabilities were discovered in the dissectors for WCCP
and GSM DTAP, which could result in denial of service.

Tim McLean discovered that pyjwt, a Python implementation of JSON Web
Token, would try to verify an HMAC signature using an RSA or ECDSA public
key as secret. This could allow remote attackers to trick applications
expecting tokens signed with asymmetric keys, into accepting arbitrary
tokens. For more information see: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/.

Bastian Blank from credativ discovered that cinder, a
storage-as-a-service system for the OpenStack cloud computing suite,
contained a bug that would allow an authenticated user to read any
file from the cinder server.