Multiple security issues have been found in Iceweasel, Debian’s version
of the Mozilla Firefox web browser: Multiple memory safety errors, buffer
overflows, use-after-frees and other implementation errors may lead to
the execution of arbitrary code, denial of service, the bypass of the
same-origin policy or a loss of privacy.

Multiple vulnerabilities were discovered in the dissectors/parsers for
RTP, MEGACO, Netflow, RTSP, SES and Sniffer, which could result in denial
of service.

Mancha discovered a vulnerability in rsyslog, a system for log
processing. This vulnerability is an integer overflow that can be
triggered by malformed messages to a server, if this one accepts data
from untrusted sources, provoking message loss, denial of service and, potentially, remote code execution.

Guillem Jover discovered that the changelog retrieval functionality in
apt-get used temporary files in an insecure way, allowing a local user
to cause arbitrary files to be overwritten.

It was reported that MediaWiki, a website engine for collaborative work,
allowed to load user-created CSS on pages where user-created JavaScript
is not allowed. A wiki user could be tricked into performing actions by
manipulating the interface from CSS, or JavaScript code being executed
from CSS, on security-wise sensitive pages like Special:Preferences and
Special:UserLogin. This update removes the separation of CSS and
JavaScript module allowance.

Several vulnerabilities were discovered in qemu-kvm, a full
virtualization solution on x86 hardware:

Several vulnerabilities were discovered in qemu, a fast processor
emulator:

Stefano Zacchiroli discovered a vulnerability in exuberant-ctags, a tool
to build tag file indexes of source code definitions: Certain JavaScript
files cause ctags to enter an infinite loop until it runs out of disk
space, resulting in denial of service.

Multiple security issues have been discovered in the Xen virtualisation
solution which may result in denial of service, information disclosure
or privilege escalation.

Rainer Gerhards, the rsyslog project leader, reported a vulnerability in
Rsyslog, a system for log processing. As a consequence of this
vulnerability an attacker can send malformed messages to a server, if
this one accepts data from untrusted sources, and trigger a denial of
service attack.