A Debian security update for tcpdump32 different vulnerabilities in tcpdump that are addressed by this update [1]. While there are not a lot of details available yet, some of the vulnerabilities can apparently be used to execute arbitrary code.
This is in particular worrying if you use tcpdump to look at live attack traffic. Of course, remember that you can have tcpdumprelinquish its root privileges after you start it up (-Z userid) , but it would still have the ability to execute code as the user running tcpdump.
All tcpdump versions prior to 4.9.0 may be vulnerable. (again, not a lot of details yet)
[1] https://www.debian.org/security/2017/dsa-3775
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.