Multiple SQL injection vulnerabilities have been discovered in the Mantis
bug tracking system.

Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors and use-after-frees may lead to the execution of arbitrary code
or denial of service.

Several security issues have been corrected in multiple demuxers and
decoders of the libav multimedia library. A full list of the changes is
available at
http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.15

It was discovered that APT, the high level package manager, does not
properly invalidate unauthenticated data
(CVE-2014-0488), performs
incorrect verification of 304 replies
(CVE-2014-0487), does not perform
the checksum check when the Acquire::GzipIndexes option is used
(CVE-2014-0489) and does not properly perform validation for binary
packages downloaded by the apt-get download command
(CVE-2014-0490).

Alban Crequy and Simon McVittie discovered several vulnerabilities in
the D-Bus message daemon.

Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
encryption subkeys
(CVE-2014-5270).

Jared Mauch reported a denial of service flaw in the way BIND, a DNS
server, handled queries for NSEC3-signed zones. A remote attacker could
use this flaw against an authoritative name server that served
NCES3-signed zones by sending a specially crafted query, which, when
processed, would cause named to crash.

Two vulnerabilities have been discovered in cURL, an URL transfer
library. They can be use to leak cookie information:

During a review for EDF, Raphael Geissert discovered that the
acpi-support package did not properly handle data obtained from a
user’s environment. This could lead to program malfunction or allow a
local user to escalate privileges to the root user due to a programming
error.

Rene Engelhard uploaded new packages for libreoffice which fixed the following
security problems:

CVE-2014-0247
  It was discovered that LibreOffice unconditionally executed certain VBA
  macros, contrary to user expectations.

  https://security-tracker.debian.org/tracker/CVE-2014-0247

The stable distribution (wheezy) is not affected by this issue.

For the testing (jessie) and unstable (sid) distributions, these
problems have been fixed in version 1:4.2.5-1.

For the wheezy-backports distribution, these problems have been fixed in
version 1:4.2.5-1~bpo70+1.