Ubuntu Security Notice 3048-1 – Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. It was discovered that curl incorrectly handled client certificates when reusing TLS connections. Marcelo Echeverria and Fernando Munoz discovered that curl incorrectly reused a connection struct, contrary to expectations. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Various other issues were also addressed.

Navis WebAccess Express version suffers from a remote SQL injection vulnerability.

WebNMS Framework versions 5.2 and 5.2 SP1 suffer from directory traversal, code execution, weak obfuscation, and user impersonation vulnerabilities.

RSA AM Prime Self-Service Portal could allow a malicious authenticated user (attacker) to replace his/her token serial number in a PIN change request with the token serial number of a victim user, which may change the PIN of the victim user to the PIN value specified by the attacker in the PIN change request. This may also deny victim?s access to the system. Versions 3.0 and 3.1 prior to build version 1915 are affected.

Debian Linux Security Advisory 3644-1 – Tobias Stoeckmann discovered that cache files are insufficiently validated in fontconfig, a generic font configuration library. An attacker can trigger arbitrary free() calls, which in turn allows double free attacks and therefore arbitrary code execution. In combination with setuid binaries using crafted cache files, this could allow privilege escalation.