Stefan Roas discovered a way to cause a buffer overflow in DBD-FireBird,
a Perl DBI driver for the Firebird RDBMS, in certain error conditions, due
to the use of the sprintf() function to write to a fixed-size memory buffer.

Ignacio R. Morelle discovered that missing path restrictions in the
Battle of Wesnoth game could result in the disclosure of arbitrary
files in the user’s home directory if malicious campaigns/maps are
loaded.

Jann Horn discovered that the source package integrity verification in
dpkg-source can be bypassed via a specially crafted Debian source
control file (.dsc). Note that this flaw only affects extraction of
local Debian source packages via dpkg-source but not the installation of
packages from the Debian archive.

Multiple vulnerabilities were discovered in libgd2, a graphics library:

A path traversal vulnerability was discovered in Mailman, the mailing
list manager. Installations using a transport script (such as
postfix-to-mailman.py) to interface with their MTA instead of static
aliases were vulnerable to a path traversal attack. To successfully
exploit this, an attacker needs write access on the local file system.

Multiple vulnerabilities have been discovered in arj, an open source
version of the arj archiver. The Common Vulnerabilities and Exposures
project identifies the following problems:

Several vulnerabilities have been discovered in Tor, a connection-based
low-latency anonymous communication system:

Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail client: Multiple memory safety errors,
use-after-frees and other implementation errors may lead to the
execution of arbitrary code, the bypass of security restrictions or
denial of service.

Multiple security issues have been found in Iceweasel, Debian’s version
of the Mozilla Firefox web browser: Multiple memory safety errors,
use-after-frees and other implementation errors may lead to the
execution of arbitrary code, the bypass of security restrictions, denial
of service or cross-site request forgery.

Multiple vulnerabilities were discovered in the dissectors/parsers for
WCP, pcapng and TNEF, which could result in denial of service.