Updated nail package fixes security vulnerabilities:

A flaw was found in the way mailx handled the parsing of email
addresses. A syntactically valid email address could allow a local
attacker to cause mailx to execute arbitrary shell commands through
shell meta-characters and the direct command execution functionality
(CVE-2004-2771, CVE-2014-7844).

Updated pwgen package fixes security vulnerabilities:

Pwgen was found to generate weak non-tty passwords by default, which
could be brute-forced with a commendable success rate, which could
raise security concerns (CVE-2013-4440).

Pwgen was found to silently falling back to use standard pseudo
generated numbers on the systems that heavily use entropy. Systems,
such as those with a lot of daemons providing encryption services,
the entropy was found to be exhausted, which forces pwgen to fall
back to use standard pseudo generated numbers (CVE-2013-4442).

Updated mediawiki packages fix security vulnerabilities:

In MediaWiki before 1.23.8, thumb.php outputs wikitext message as
raw HTML, which could lead to cross-site scripting. Permission to
edit MediaWiki namespace is required to exploit this.

In MediaWiki before 1.23.8, a malicious site can bypass CORS
restrictions in in API calls if it only included an allowed domain
as part of its name.

Updated unrtf package fixes security vulnerabilities:

Michal Zalewski reported an out-of-bounds memory access vulnerability
in unrtf. Processing a malformed RTF file could lead to a segfault
while accessing a pointer that may be under the attacker’s control.
This would lead to a denial of service (application crash) or,
potentially, the execution of arbitrary code (CVE-2014-9274).

Hanno Bck also reported a number of other crashes in unrtf
(CVE-2014-9275).

This is a maintenance and bugfix release that upgrades PostgreSQL to
the latest 9.2.9 version which resolves various upstream bugs.

Updated c-icap packages fix security vulnerabilities:

Several vulnerabilities were found in c-icap, which could allow a
remote attacker to cause c-icap to crash, or have other, unspecified
impacts (CVE-2013-7401, CVE-2013-7402).

Updated pcre packages fix security vulnerability:

A flaw was found in the way PCRE handled certain malformed regular
expressions. This issue could cause an application linked against PCRE
to crash while parsing malicious regular expressions (CVE-2014-8964).

Updated ntp packages fix security vulnerabilities:

If no authentication key is defined in the ntp.conf file, a
cryptographically-weak default key is generated (CVE-2014-9293).

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number
generator with a weak seed to generate symmetric keys (CVE-2014-9294).

A remote unauthenticated attacker may craft special packets that
trigger buffer overflows in the ntpd functions crypto_recv() (when
using autokey authentication), ctl_putdata(), and configure(). The
resulting buffer overflows may be exploited to allow arbitrary
malicious code to be executed with the privilege of the ntpd process
(CVE-2014-9295).

A section of code in ntpd handling a rare error is missing a return
statement, therefore processing did not stop when the error was
encountered. This situation may be exploitable by an attacker
(CVE-2014-9296).

The ntp package has been patched to fix these issues.

Updated php packages fix security vulnerability:

A use-after-free flaw was found in PHP unserialize(). An untrusted
input could cause PHP interpreter to crash or, possibly, execute
arbitrary code when processed using unserialize() (CVE-2014-8142).

PHP has been updated to version 5.5.20, which fixes these issues and
other bugs.

Updated subversion packages fix security vulnerabilities:

A NULL pointer dereference flaw was found in the way mod_dav_svn
handled REPORT requests. A remote, unauthenticated attacker could
use a crafted REPORT request to crash mod_dav_svn (CVE-2014-3580).

A NULL pointer dereference flaw was found in the way mod_dav_svn
handled URIs for virtual transaction names. A remote, unauthenticated
attacker could send a request for a virtual transaction name that
does not exist, causing mod_dav_svn to crash (CVE-2014-8108).