Wilfried Goesgens discovered that WebCit, the web-based user interface for the Citadel groupware system, contains a format string vulnerability in the mini_calendar component, possibly allowing arbitrary code execution . For the stable distribution , this problem has been fixed in version 7.37-dfsg-7. For the unstable distribution , this problem has been fixed in version 7.38b-dfsg-2. We recommend that you upgrade your webcit packages.