It was discovered that RT::Authen::ExternalAuth, an external authentication module for Request Tracker, is vulnerable to timing side-channel attacks for user passwords. Only ExternalAuth in DBI (database) mode is vulnerable.
It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption.
It was discovered that there was a vulnerability in libsndfile, a library for reading/writing audio files. A specially-crafted AIFF ("Audio Interchange File Format") file could result in an out-of-bounds memory read.
tiff3 was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches