Manfred Paul discovered two security issues in the Mozilla Firefox web browser, which could result in the execution of arbitrary code. For the oldstable distribution (buster), these problems have been fixed
Felix Wilhelm reported that several buffer handling functions in libxml2, a library providing support to read, modify and write XML and HTML files, don't check for integer overflows, resulting in out-of-bounds memory writes if specially crafted, multi-gigabyte XML
Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. For the oldstable distribution (buster), these problems have been fixed
Jacek Konieczny discovered a SQL injection vulnerability in the back-sql backend to slapd in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, allowing an attacker to alter the database during an LDAP search operations when a specially crafted search filter
Elison Niven discovered that the c_rehash script included in OpenSSL did not sanitise shell meta characters which could result in the execution of arbitrary commands.
It was discovered that the Waitress WSGI server was susceptible to HTTP request smuggling in some scenarios when used behind a proxy. For the oldstable distribution (buster), this problem has been fixed
Jakub Wilk discovered a local privilege escalation in needrestart, a utility to check which daemons need to be restarted after library upgrades. Regular expressions to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate
Alexander Lakhin discovered that the autovacuum feature and multiple commands could escape the "security-restricted operation" sandbox. For additional information please refer to the upstream announcement
Alexander Lakhin discovered that the autovacuum feature and multiple commands could escape the "security-restricted operation" sandbox. For additional information please refer to the upstream announcement