Gjoko Krstic of Zero Science Labs discovered that dcmtk, a collection
of libraries implementing the DICOM standard, did not properly handle
the size of data received from the network. This could lead to
denial-of-service (via application crash) or arbitrary code execution.

Gergely Gábor Nagy from Tresorit discovered that libcrypto++, a C++
cryptographic library, contained a bug in several ASN.1 parsing
routines. This would allow an attacker to remotely cause a denial of
service.

Bjoern Jacke discovered that Exim, Debian’s default mail transfer agent,
may leak the private DKIM signing key to the log files if specific
configuration options are met.

Saulius Lapinskas from Lithuanian State Social Insurance Fund Board
discovered that Squid3, a fully featured web proxy cache, does not
properly process responses to If-None-Modified HTTP conditional
requests, leading to client-specific Cookie data being leaked to other
clients. A remote attacker can take advantage of this flaw to discover
private and sensitive information about another clients browsing
session.

Several vulnerabilities have been discovered in GraphicsMagick, a
collection of image processing tool, which can cause denial of service
attacks, remote file deletion, and remote command execution.

Several vulnerabilities were discovered in libxml2, a library providing
support to read, modify and write XML and HTML files. A remote attacker
could provide a specially crafted XML or HTML file that, when processed
by an application using libxml2, would cause a denial-of-service against
the application, or potentially, the execution of arbitrary code with
the privileges of the user running the application.

It was discovered that bottle, a WSGI-framework for the Python
programming language, did not properly filter “rn” sequences when
handling redirections. This allowed an attacker to perform CRLF
attacks such as HTTP header injection.

It was discovered that the Flight Gear flight simulator performs
insufficient sanitising of Nasal scripts which allows a malicious script
to overwrite arbitrary files with the privileges of the user running
Flight Gear.

It was discovered that Tor, a connection-based low-latency anonymous
communication system, may read one byte past a buffer when parsing
hidden service descriptors. This issue may enable a hostile hidden
service to crash Tor clients depending on hardening options and malloc
implementation.

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues: