Several vulnerabilities were discovered in the ntp package, an
implementation of the Network Time Protocol.

Evgeny Kotkov discovered a NULL pointer dereference while processing
REPORT requests in mod_dav_svn, the Subversion component which is used
to serve repositories with the Apache web server. A remote attacker
could abuse this vulnerability for a denial of service.

Jose Duart of the Google Security Team discovered a double free flaw
(CVE-2014-8137) and a heap-based buffer overflow flaw (CVE-2014-8138)
in JasPer, a library for manipulating JPEG-2000 files. A specially
crafted file could cause an application using JasPer to crash or,
possibly, execute arbitrary code.

It was discovered that bsd-mailx, an implementation of the mail
command, had an undocumented feature which treats syntactically valid
email addresses as shell commands to execute.

Two security vulnerabilities were discovered in Heirloom mailx, an
implementation of the mail command:

Jonathan Gray and Stanislaw Pitucha found an assertion failure in the
way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and
emitter library. An attacker able to load specially crafted YAML input
into an application using libyaml could cause the application to crash.

Jonathan Gray and Stanislaw Pitucha found an assertion failure in the
way wrapped strings are parsed in LibYAML, a fast YAML 1.1 parser and
emitter library. An attacker able to load specially crafted YAML input
into an application using libyaml could cause the application to crash.

Several vulnerabilities were found in c-icap, an ICAP server
implementation, which could allow a remote attacker to cause c-icap to
crash, or have other, unspecified impacts.

A flaw was discovered in mediawiki, a wiki engine: cross-domain-policy
mangling allows an article editor to inject code into API consumers
that deserialize PHP representations of the page from the API.

Joshua Rogers discovered a format string vulnerability in the yyerror
function in lib/cgraph/scan.l in Graphviz, a rich set of graph drawing
tools. An attacker could use this flaw to cause graphviz to crash or
possibly execute arbitrary code.