The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. 
For a successful attack, wpa_supplicant must be configured to not verify the network's 
TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can 
then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV 
Success packet instead of starting Phase 2. This allows an adversary to impersonate 
Enterprise Wi-Fi networks.

Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to crash 
the application via the std::__shared_count() function at /bits/shared_ptr_base.h.

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, 
grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to 
the original grubenv file. If the program is killed before the rename operation, the temporary 
file will not be removed and may fill the filesystem when invoked multiple times, resulting in 
a filesystem out of free inodes or blocks.

The util-linux wall command does not filter escape sequences from command line arguments. 
The vulnerable code was introduced in commit cdd3cc7fa4 (2013). 
Every version since has been vulnerable. 
A full report can be found here. I have nicknamed this bug "WallEscape".

The urgent Red Hat warning can be found via the Red Hat blog. 
Debian has also released a similar security message over the malicious code within XZ utils.

Long story short, make sure you don't have XZ 5.6.0/5.6.1 on your systems now.