Multiple SQL injection vulnerabilities have been discovered in the Mantis
bug tracking system.

Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library. A full list of the changes is
available at
http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15

Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors and use-after-frees may lead to the execution of arbitrary code
or denial of service.

It was discovered that APT, the high level package manager, does not
properly invalidate unauthenticated data
(CVE-2014-0488), performs
incorrect verification of 304 replies
(CVE-2014-0487), does not perform
the checksum check when the Acquire::GzipIndexes option is used
(CVE-2014-0489) and does not properly perform validation for binary
packages downloaded by the apt-get download command
(CVE-2014-0490).

Alban Crequy and Simon McVittie discovered several vulnerabilities in
the D-Bus message daemon.

Jared Mauch reported a denial of service flaw in the way BIND, a DNS
server, handled queries for NSEC3-signed zones. A remote attacker could
use this flaw against an authoritative name server that served
NCES3-signed zones by sending a specially crafted query, which, when
processed, would cause named to crash.

Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
encryption subkeys
(CVE-2014-5270).

During a review for EDF, Raphael Geissert discovered that the
acpi-support package did not properly handle data obtained from a
user’s environment. This could lead to program malfunction or allow a
local user to escalate privileges to the root user due to a programming
error.

Two vulnerabilities have been discovered in cURL, an URL transfer
library. They can be use to leak cookie information:

Rene Engelhard uploaded new packages for libreoffice which fixed the following
security problems:

CVE-2014-0247
  It was discovered that LibreOffice unconditionally executed certain VBA
  macros, contrary to user expectations.

  https://security-tracker.debian.org/tracker/CVE-2014-0247

The stable distribution (wheezy) is not affected by this issue.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:4.2.5-1.

For the wheezy-backports distribution, these problems have been fixed in
version 1:4.2.5-1~bpo70+1.