Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write
NTFS driver for FUSE, does not scrub the environment before executing
modprobe with elevated privileges. A local user can take advantage of
this flaw for local root privilege escalation.

Multiple vulnerabilities have been discovered in libgd2, a library for
programmatic graphics creation and manipulation, which may result in
denial of service or potentially the execution of arbitrary code if a
malformed file is processed.

Several vulnerabilities have been discovered in the chromium web browser.

Michal Marek discovered that ruby-archive-tar-minitar, a Ruby library
that provides the ability to deal with POSIX tar archive files, is prone
to a directory traversal vulnerability. An attacker can take advantage
of this flaw to overwrite arbitrary files during archive extraction via
a .. (dot dot) in an extracted filename.

Multiple vulnerabilities have been discovered in tcpdump, a command-line
network traffic analyzer. These vulnerabilities might result in denial
of service or the execution of arbitrary code.

Ibrahim M. El-Sayed discovered an out-of-bounds heap read vulnerability
in the function Type_MLU_Read in lcms2, the Little CMS 2 color
management library, which can be triggered by an image with a specially
crafted ICC profile and leading to a heap memory leak or
denial-of-service for applications using the lcms2 library.

Several vulnerabilities were discovered in OpenSSL:

Tobias Stoeckmann discovered that the libXpm library contained two
integer overflow flaws, leading to a heap out-of-bounds write, while
parsing XPM extensions in a file. An attacker can provide a specially
crafted XPM file that, when processed by an application using the libXpm
library, would cause a denial-of-service against the application, or
potentially, the execution of arbitrary code with the privileges of the
user running the application.

Multiple security issues have been found in the Mozilla Firefox web
browser: Memory safety errors, use-after-frees and other implementation
errors may lead to the execution of arbitrary code, information
disclosure or privilege escalation.

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.29. Please see the MariaDB 10.0 Release Notes for further
details: