Jouni Malinen discovered an input sanitization issue in the wpa_cli and
hostapd_cli tools included in the wpa package. A remote wifi system
within range could provide a crafted string triggering arbitrary code
execution running with privileges of the affected wpa_cli or hostapd_cli
process.

Multiple vulnerabilities were discovered in the dissectors/parsers for
RTP, MEGACO, Netflow, RTSP, SES and Sniffer, which could result in denial
of service.

Guillem Jover discovered that the changelog retrieval functionality in
apt-get used temporary files in an insecure way, allowing a local user
to cause arbitrary files to be overwritten.

Mancha discovered a vulnerability in rsyslog, a system for log
processing. This vulnerability is an integer overflow that can be
triggered by malformed messages to a server, if this one accepts data
from untrusted sources, provoking message loss, denial of service and, potentially, remote code execution.

It was reported that MediaWiki, a website engine for collaborative work,
allowed to load user-created CSS on pages where user-created JavaScript
is not allowed. A wiki user could be tricked into performing actions by
manipulating the interface from CSS, or JavaScript code being executed
from CSS, on security-wise sensitive pages like Special:Preferences and
Special:UserLogin. This update removes the separation of CSS and
JavaScript module allowance.

Several vulnerabilities were discovered in qemu-kvm, a full
virtualization solution on x86 hardware:

Several vulnerabilities were discovered in qemu, a fast processor
emulator:

Stefano Zacchiroli discovered a vulnerability in exuberant-ctags, a tool
to build tag file indexes of source code definitions: Certain JavaScript
files cause ctags to enter an infinite loop until it runs out of disk
space, resulting in denial of service.

Multiple security issues have been discovered in the Xen virtualisation
solution which may result in denial of service, information disclosure
or privilege escalation.

Rainer Gerhards, the rsyslog project leader, reported a vulnerability in
Rsyslog, a system for log processing. As a consequence of this
vulnerability an attacker can send malformed messages to a server, if
this one accepts data from untrusted sources, and trigger a denial of
service attack.