Dell has pubished a security bulletin rated Critical.  Oracle JRE within Dell EMC Storage Monitoring and Reporting requires a security update to address various vulnerabilities.
More info.

Xerox has published updates that apply the October Microsoft updates and Java and Firefox updates to the FreeFlow Print Server.
More info.

An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API.
More info.

A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Assistant.
More info.

SUSE has updated the kernel and microcode.  More info.
OpenSUSE has updated the kernel, microcode, and others.  More info.
Arch Linux has updated the microcode.  More info.
RedHat has updated the kernel.  More info.
CentOS has updated the kernel, microcode, thunderbird, and others.  More info.
Oracle Linux has updated the kernel.  More info.
Debian has updated the kernel, microcode, and others.  More info.
Scientific Linux has updated the kernel.  More info.

Microsoft Monthly Patches are out.  There is a total of 74 vulnerabilities, including two advisories. 14 of the vulnerabilities are rated critical. Two vulnerabilities had been disclosed prior to today, and one critical scripting engine vulnerability that may lead to RCE has already been exploited in the wild.
More info.  And here.  And here.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.  This is actively being exploited.
More info.

Adobe Monthly Patches are out.  Adobe has released security updates to address vulnerabilities in Animate CC 2019, Illustrator CC, Media Encoder, and Bridge CC. An attacker could exploit some of these vulnerabilities to take control of an affected system.
More info.

Intel has published 18 bulletins, two rated Critical and eight rated High.
More info.

Potential security vulnerabilities in Intel Baseboard Management Controller (BMC) firmware may allow escalation of privilege, denial of service and/or information disclosure.
More info.

Potential security vulnerabilities in Intel CSME, Intel SPS, Intel TXE, Intel AMT, Intel PTT, and Intel DAL may allow escalation of privilege, denial of service or information disclosure.
More info.

Lenovo has published updates for the Intel vulnerabilities.  More info.
Supermicro has published updates.  More info.
HP has published updates.  More info.
Dell has published updates.  More info.
FreeBSD has updated for two Intel vulnerabilities.  More info.
Citrix has updated.  More info.
Xen has updated.  More info.
NetApp has published eight bulletins.  More info.

Philips has become aware of a potential issue with inadequate encryption strength associated with the Philips IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub, and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data.
More info.

An ePolicy Orchestrator update fixes multiple Java vulnerabilities that can allow Information Exposure, DoS, and Information Modification.
More info.

Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
More info.

Traffix SDC is vulnerable to issues in libpcap.
More info.

SUSE has updated the kernel, python, dhcp, and others.  More info.
Arch Linux has updated the kernel and others.  More info.
RedHat has updated the kernel.  More info.
Oracle Linux has updated the kernel.  More info.
Ubuntu has updated the kernel and others.  More info.

SAP Monthly Patches are out.  There are 12 new security notes and three updated ones.  All of the updated notes are rated Hot News, one new bulletin is rated Hot News, one is High, the rest are Medium.  Three bulletins address missing authorization vulnerabilities.
More info.

Siemens Monthly Patches are out.  There are three new bulletins, and five updated bulletins.  Several of the updates include patches to previously reported vulnerabilities.
More info.

The latest update for Desigo PXC devices fixes a vulnerability that could allow unauthenticated remote users to cause a denial of service condition on the PX Web interface (HTTP, port tcp/80) of a device.
More info.

Schneider Electric has published Monthly Patches, with two new bulletins and six updated bulletins.  The two new bulletins address XSS in Andover Continuum and Information Exposure in Modicon Controllers.  New bulletins are not yet available on the site.
More info.

F5 has identified that their products are vulnerable to recent issues patched in tcpdump.  No fixes yet.
More info.

Multiple vulnerabilities have been published for squid, including HTTP response splitting, DoS, and RCE.
More info.

Thales/Gemalto Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager.
More info.

IBM QRadar SIEM is vulnerable to multiple kernel and Eclipse Jetty vulnerabities.
More info.  And here.

SUSE had updated libssh, apache, and others.  More info.
OpenSUSE has updated php, firefox, thunderbird, python, and others.  More info.
Arch Linux has updated the kernel and squid.  More info.
Debian has updated chromium.  More info.
Ubuntu has updated bash. More info.

Medtronic Valleylab FT10 and FX8 products use multiple sets of hard-coded credentials, reversible one-way hash, and a vulnerable version of the rssh utility.  Patches for FT10 are available.
More info.  And here.

Mitsubishi Electric MELSEC-Q Series and MELSEC-L Series CPU Modules contain a security vulnerability that would allow a remote attacker to cause a DoS through the FTP service.
More info.

Google has released an update for Chrome for Desktop containing 4 security fixes.
More info.

Honeywell MAXPRO VMS contains two vulnerabilities that can allow Unauthenticated RCE via unsafe binary deserialization and Unauthenticated Remote arbitrary SQL command execution.
More info.

Hitachi has published security bulletins for Cosminexus HTTP Server, Hitachi Command Suite, and Hitachi Infrastructure Analytics Advisor.
More info.

SUSE had updated thunderbird, gdb, and others.  More info.
Gentoo Linux has updated openssl, openssh, and others.  More info.
Mageia has updated chromium, thunderbird, firefox, python, proftd, and others.  More info.
Scientific Linux has updated thunderbird.  More info.

Cisco has published 16 bulletins for their products, 8 rated High, 6 Medium, and 2 are Informational.
More info.

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.
More info.

Multiple vulnerabilities in the video service of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
More info.

Cisco firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers and RV016, RV042, RV042G, and RV082 Routers are affected by Static certificates and keys, Hardcoded password hashes, and Multiple vulnerabilities in third-party software components.
More info.  And here.

Moxa has reported vulnerabilities in EDS-405A Series Ethernet Switches that could allow an attacker to cause a DoS.
More info.

NetApp has published five bulletins documenting third-party software vulnerabilities in their products. No patches.
More info.

SUSE had updated libssh and php.  More info.
OpenSUSE has updated chromium.  More info.
Arch Linux has updated squid and the kernel.  More info.
RedHat has updated chromium, thunderbird, sudo, and others.  More info.
Scientific Linux has updated sudo.  More info.
Amazon Linux has updated subversion and docker.  More info.
Amazon Linux 2 has updated dovecot, samba, and others.  More info.

Omron CX-Supervisor uses a vulnerable version of TeamViewer.  Successful exploitation could result in information disclosure, total compromise of the system, and system unavailability.
More info.

Omron has released an updated version of Network Configurator for DeviceNet Safety to address a previously reported vulnerability.
More info.

SUSE had updated samba, libssh, and others.  More info.
OpenSUSE has updated php, python, the kernel, and others.  More info.
RedHat has updated php, python, and others.  More info.
Debian has updated proftpd.  More info.
Ubuntu has updated nokogiri, haproxy, and others.  More info.

Qualcomm has published their monthly patches, with 13 fixed vulnerabilities.  Five are marked Critical, six are High, the other two are Medium.  Six have an attack vector of Remote.
More info.

Google has published their Monthly Patches for Android.  There are 27 vulnerability fixes plus the Qualcomm patches.  Three are rated Critical, four allow RCE.
More info.

They have also released the Monthly Patches for Pixel, with 19 fixed vulnerabilities, with one allowing RCE.
More info.

Brocade has published seven new bulletins for their SANnav product, covering MItM, weak encryption, hardcoded passwords and more.  Highest CVSSv3 score is 7.5.
More info.

All F5 products are vulnerable to a DoS vulnerability in tcpdump.  When tcpdump is active and configured to parse FRF.16 traffic, certain traffic patterns may trigger a crash or other unexpected behavior of the tcpdump process.
More info.

Tenable has published a standalone PHP patch for Tenable.sc
More info.

SUSE had updated samba and python-ecdsa.  More info.
Arch Linux has updated electron and samba. More info.
Debian has updated webkit2gtk.  More info.

ABB is aware of public reports of a vulnerability in Power Generation Information Manager and Plant Connect. An attacker who exploits this vulnerability can bypass authentication and extract the user credentials used within the application. CVSSv3 score of 9.8.
Note this statement: "In some cases, end users have used the same usernames and passwords for Windows login. In such instances, if an unauthorized user extracts credentials for PGIM and Plant Connect, then they would also be in possession of Windows credentials, potentially compromising the security of the Domain."

An updated product, Symphony Plus Historian, is available that resolves the publicly reported vulnerabilities.
More info.

Multiple security vulnerabilities have been fixed in Xerox AltaLink products.
More info.

The QSnatch malware is reportedly being used to target QNAP NAS devices. QNAP has added rules to remove the QSnatch malware and released Malware Remover 3.5.4.0 and 4.5.4.0.
More info.

OpenSUSE had updated chromium.  More info.
Arch Linux has updated chromium, ghostscript, python, glibc, and others. More info.
CentOS has updated php, firefox, nss, and others.  More info.
Scientific Linux has updated firefox and php.  More info.
Amazon Linux and Amazon Linux 2 have updated php.  More info.

Google has published a new version of Chrome for Desktop that contains two security fixes, the most severe of which could result in arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page.  One of these is actively exploited in the wild.
More info.

Advantech WISE-PaaS/RMM contains multiple vulnerabilities, including Path Traversal, Missing Authorization, Improper Restriction of XML External Entity Reference, and SQL Injection. Successful exploitation of these vulnerabilities may allow information disclosure, remote code execution, and compromise system availability.  Note these products are EOL.
More info.

Dell has published security updates for EMC Avamar and Networker Security that corrects multiple third-party components vulnerabilities.
More info.

Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center.
More info.

Multiple vulnerabilities have been identified in Cosminexus.
More info.

SonicWall physical firewall appliances running certain versions of SonicOS contain vulnerabilities in code utilized for remote management.
More info.

SUSE had updated the kernel and samba.  More info.
RedHat Linux has updated php and others.  More info.
CentOS has updated firefox, thunderbird, and sudo.  More info.
Oracle Linux has updated php.  More info.
Debian has updated libarchive and one other.  More info.
Scientific Linux has updated php.  More info.

Apple has published additional bulletins for iTunes and iCloud.
More info.

A vulnerability has been identified in AccuRev for LDAP Integration. If the AccuRev server and the AccuRev for LDAP Integration version 2017.1 are installed on a Linux or Solaris system, anyone who knows a valid AccuRev username can use the AccuRev client to login and gain access to AccuRev source control without knowing the user’s password.  CVSSv3 score of 9.1
More info.

Xen has published six new bulletins, most vulnerabilities require guest access to exploit.
More info.

NetApp has published six new bulletins for vulnerabilities in third party software in their products.  No patches.
More info.

SUSE had updated the kernel, samba, php, firefox, and others.  More info.
RedHat Linux has updated firefox, sudo, and others.  More info.
Amazon Linux has updated openssh and python.  More info.
Amazon Linux 2 has updated http, mod_http, and sssd.  More info.

Apple has published the details for the security updates for Safari, two versions of iOS, iPadOS and tvOS.  Also, an update for watchOS and macOS has been published.  Several vulnerabilities allow remote code execution.
More info.  And here.

BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones.
More info.

There are two heap buffer overflow vulnerabilities in Broadcom WiFi chipset drivers. A remote, unauthenticated attacker may send specially-crafted WiFi packets to exploit these vulnerabilities.
More info.

There is an improper authentication vulnerability in some Huawei smartphones. Successful exploitation may cause the attacker to access specific components.
More info.

SUSE had updated python, samba, php, and others.  More info.
RedHat Linux has updated samba and others.  More info.
Oracle Linux has updated thunderbird.  More info.
Ubuntu has updated libarchive, samba, and others.  More info.
Mageia has updated php, the kernel, and others.  More info.
Scientific Linux has updated thunderbird.  More info.

RouterOS DNS implementation is vulnerable to unauthenticated remote DNS cache poisoning via Winbox. The router is impacted even when DNS is not enabled.
More info.

The upgrade system used by RouterOS is vulnerable to man in the middle attacks and insufficient package validation. An attacker can abuse these vulnerabilities to downgrade a router's installed RouterOS version, possibly lock the user out of the system, possibly disable the system.
More info.

Apple has published security updates for Safari, two versions of iOS, iPadOS and tvOS.  No details of the vulnerabilities are listed at the moment.
More info.

Trend Micro has released Critical Patches for Trend Micro OfficeScan 11.0 SP1 and XG which resolve an arbitrary file upload with directory traversal vulnerability. 
More info.

Trend Micro has released a Critical Patch for Trend Micro Apex One (on-premise) which resolves an arbitrary file upload with command injection vulnerability. 
More info.

Trend Micro has released Patches and Critical Patches (CPs) for Trend Micro Commercial Endpoint Protection products - Apex One, OfficeScan, and Worry-Free Business Security - which resolve a root login bypass with directory traversal vulnerability. 
More info.

A vulnerability in tcpdump used in F5 products could allow an attacker to gain access to sensitive information and also cause a denial of service (DoS).
More info.

A malicious server can craft a pathname containing separators and return this to client code, causing the client to use this access local pathnames for reading or writing instead of SMB network pathnames.
More info.

Critical vulnerabilities exist in the eIDAS-Node software component (EU cross-border authentication). These vulnerabilities could allow an attacker to impersonate any EU citizen.
More info.

SUSE had updated python and others.  More info.
RedHat Linux has updated chromium, thunderbird, and sudo.  More info.
Debian has updated php.  More info.
Ubuntu has updated php.  More info.

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for arbitrary code execution.
More info.

If MAC-based port security or 802.1x port security is enabled, the FL NAT 2xxx will unintentionally grant access to unauthorized devices in case of routed transmission.  CVSSv3 score of 8.1
More info.

IBM Security Guardium contains multiple vulnerabilities, including cleartext transmission of sensitive info, information exposure, hardcoded credentials, and improper authorization.
More info.

OpenSUSE has updated python, the kernel, and others.  More info.
Arch Linux has updated chromium, firefox, and thunderbird.  More info.
Debian has updated firefox, golang, and file.  More info.
Amazon Linux has updated exim, httpd, and patch.  More info.

Philips has become aware that for Versions K and prior of the Philips IntelliSpace Perinatal system, a potential vulnerability may allow an unauthorized user access to system resources. This could impact confidentiality and integrity of the system and application. To exploit this issue, an attacker would require physical access to a locked application screen, or a remote desktop session host application.
More info.

Rittal Chiller SK 3232-Series contains two authentication vulnerabilities. The authentication mechanism on affected systems is configured using hard-coded credentials, and does not provide a sufficient level of protection against unauthorized configuration changes. Primary operations, namely turning the cooling unit on and off and setting the temperature set point, can be modified without authentication.  CVSS of 9.1
More info.

The IBM Security Access Manager product can be attacked using the Slowloris Denial of service attack, by allowing an unauthenticated attacker to cause a denial of service in the reverse proxy component.
More info.

ABB has published four security bulletins for Relion 650 and 670 series, covering OpenSSL, a Terminal Reboot vulnerability that allows DoS, and an MMS Path Traversal vulnerability.
More info.

An attacker who successfully exploited the MMS Path Traversal vulnerability could retrieve any file on the device’s flash drive without authentication on the device or make the product inoperative by deleting files from the device’s flash drive.  CVSSv3 score of 10.
More info.

A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations.
More info.

SUSE has updated xen and others.  More info.
Arch Linux has updated php.  More info.
Gentoo Linux has updated php.  More info.
Scientific Linux has updated sudo.  More info.
Amazon Linux 2 has updated curl.  More info.

A specific crafted request may cause a stack-based buffer overflow and could therefore execute arbitrary code on the CODESYS ENI server or lead to a denial-of-service condition due to a crash in the CODESYS ENI server.
More info.

Dell has released a security update for third-party software supportutils in the EMC Unity Family and EMC Unity XT Family.
More info.

Avaya has published security updates addressing vulnerabilities in the underlying OS (RedHat).
More info.

NetApp has published five security bulletins addressing vulnerabilities in third-party software used in their products, with no patches.  One bulletin has been published addressing an l2ping DoS vulnera bility that has been patched.
More info.

Multiple vulnerabilities have been fixed in Thunderbird.
More info.

SUSE has updated the kernel.  More info.
RedHat has updated firefox and sudo.  More info.
Oracle Liinux has updated firefox.  More info.
Ubuntu has updated firefox.  More info.
Mageia has updated openjdk, chromium, and others.  More info.
Scientific Linux has updated firefox and openafs.  More info.

Multiple vulnerabilities have been fixed in Firefox and Firefox ESR, the most serious of which could allow RCE.
More info.  And here.

Google has updated Chrome for the Desktop, with 37 security fixes.
More info.

IBM Security Proventia Network Active Bypass has addressed the vulnerabilities in OpenSSL and glibc.
More info.  And here.  And here.

Dell has published a security update for EMC Data Computing Appliance (DCA) to update multiple third-party components.
More info.

There is an out of bound read vulnerability in some Huawei products. A remote, unauthenticated attacker may send a corrupt or crafted message to the affected products.
More info.

SUSE has updated python, the kernel, and others.  More info.
OpenSUSE has updated gcc.  More info.
Arch Linux has updated pacman.  More info.
RedHat has updated firefox and the kernel.  More info.
CentOS has updated openjdk and patch.  More info.
Ubuntu has updated the kernel.  More info.
Scientific Linux has updated openjdk.  More info.

Traffix SDC is vulnerable to a DoS in the linux kernel.
More info.

SUSE has updated dhcp and procps.  More info.
RedHat has updated python, wget, and the kernel.  More info.
CentOS has updated the kernel.  More info.
Oracle Linux has updated openjdk.  More info.
Debian has updated openjdk and tcpdump.  More info.
Ubuntu has updated the kernel, uw imap, and exiv2.  More info.
Alpine Linux has published a new release with several security fixes.  More info.

A vulnerability has been identified in the management interface of Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that, if exploited, could allow an attacker with access to the management interface to gain administrative access to the appliance.
More info.

The latest release of Self Service Password Reset (SSPR) includes a fix for a security vulnerability. The Rest Server Certificate was not being validated.
More info.

Multiple information exposure vulnerabilities in FortiOS may allow an unauthenticated attacker to perform some information gathering via parsing the HTTP headers, web portal certificate, and error messages. The exposed information includes the FortiGate's model, serial number and internal IP address.
More info.

RealTek Wireless drivers can be exploited by a malicious attacker within wi-fi range to allow DoS or possibly RCE.  No patches yet, expect them to start rolling out.
More info.

SUSE has updated the kernel, python, sudo, and others.  More info.
OpenSUSE has updated dhcp, tcpdump, libpcap, and lighttpd.  More info.
Arch Linux has updated go.  More info.
RedHat has updated java.  More info.
Debian has updated openjdk and one other.  More info.
Scientific Linux has updated openjdk and the kernel.  More info.

ABB is aware of public reports of a vulnerability in UNO-DM. An unauthenticated attacker who successfully exploited this vulnerability could obtain access to some product information (nameplate, current connected IP, log).
More info.

Xerox has published multiple bulletins for their printer products over the last week, most updates for the Urgent/11 VxWorks vulnerabilities.  Worth a look if you manage Xerox printers.
More info.

RSA Authentication Manager software contains an XML Entity Injection vulnerability associated with token distribution.
More info.

Multiple components within RSA Authentication Manager require a security update to address various vulnerabilities.   (This was rated Critical).
More info.

NetApp has published six new bulletins documenting vulnerabilities in third-party software used in their products.
More info.

SUSE has updated the kernel and postgresql.  More info.
Scientific Linux has updated java.  More info.

Originally reported in April, apparently there are enough still-vulnerable VPN appliances and client installs that the NSA, CERT, and other agencies are publishing bulletins urging companies to update.  The vendors identified are Pulse Secure, Palo Alto, and Fortinet.
If you have a VPN system, check it and update it if needed.  Be a good netizen!
More info.  And here.  Here.    And here.

An error in the validity checks for incoming Mirror Zone data can allow an on-path attacker to replace mirror zone data that was validated with a configured trust anchor with forged data of the attacker's choosing.
More info.

A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query.
More info.

Eaton is aware of a potential vulnerability in the CGLine+ Web Controller when connected to the supervision software CGVision.  No further information is available.
More info.

Trend Micro has released updates for Deep Security that resolves StartTLS LDAP Confidentiality and Local Arbitrary File Overwrite vulnerabilities.
More info.

Cisco has published 28 new bulletins, one rated Critical, five rated High, and the rest Medium.
More info.

A vulnerability in Cisco Aironet Access Points (APs) Software could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted device with elevated privileges. The vulnerability is due to insufficient access control for certain URLs on an affected device.  CVSSv3 of 9.8
More info.

A vulnerability in the Secure Shell (SSH) session management for Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability exists because the SSH process is not properly deleted when an SSH connection to the device is disconnected.
More info.

A vulnerability in the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient validation of Generic Routing Encapsulation (GRE) frames that pass through the data plane of an affected AP.
More info.

SUSE has updated mariadb, gcc, and libreoffice.  More info.
RedHat has updated java and others.  More info.
Oracle Linux has updated the kernel and java.  More info.
Debian has updated unbound.  More info.
Arch Linux has updated xpdf.  More info.
Mageia has updated sudo, tcpdump, libpcap, the kernel, nmap, and others.  More info.
Scientific Linux has updated jss.  More info.

Oracle Quarterly Patches are out.  There are a total of 219 patched vulnerabilities across 23 product families, with 141 of them remotely exploitable.  CVSSv3 scores show 18 rated 9.0 or higher, and one rated 10.
The affected products are listed here, with number of vulnerabilities/number remotely exploitable:  10/2 patches for Database Server, 1/0 for NoSQL Database Server, 13/11 for Construction and Engineering, 10/10 for E-Business Suite, 7/5 for Enterprise Manager, 7/4 for Financial Services, 7/3 for Food and Beverage Applications, 37/31 for Fusion Middleware, 3/2 for GraalVM, 2/2 for Health Sciences Applications, 3/2 for Hospitality Applications, 3/0 for Hyperion Risk, 20/20 for Java SE, 1/1 for JD Edwards, 34/9 for MySQL, 13/10 for PeopleSoft, 4/4 for PeopleSoft, 12/9 for Retail Applications, 4/4 for Siebel CRM, 12/7 for Systems, 3/3 for Supply Chain, 2/2 for Support Tools , and 11/0 for Virtualization,
More info.

Adobe has published updates for Acrobat and Reader, Download Manager, Experience Manager, and Experience Manager Forms.
More info.

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS.  Successful exploitation could lead to arbitrary code execution in the context of the current user.
More info.

Adobe has released security updates for Adobe Experience Manager (AEM).  Successful exploitation could result in unauthorized access to the AEM environment.
More info.

IBM Security Guardium is affected by known vulnerabilities in Bouncy Castle.
More info.

Thales/Gemalto Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager when installed as a service.
More info.

Critical security vulnerabilities were detected in LANTIME firmware.  Updated firmware is available.
More info.

Apache Fineract has updated for one Critical and two Important vulnerabilities.  The Critical vulnerability exists in spring security upstream dependencies and allowed malicious users to trigger remote code execution
More info.

A vulnerability exists in CA Performance Management that can allow a remote attacker to execute arbitrary commands.  A malicious attacker may use the default credentials and exploit a weakness in the configuration to execute arbitrary commands on the Performance Center server.
More info.

SUSE has updated tcpdump, libpcap, sudo, and others.  More info.
RedHat has updated the kernel.  More info.
Oracle Linux has updated the kernel and sudo.  More info.

The IEC870IP driver for Vijeo Citect and Citect SCADA has a buffer overflow that could cause a server-side crash.
More info.

Traffix SDC contains a vulnerability in OpenLDAP.  Attackers may be able to obtain access to restricted resources.
More info.

SUSE has updated the kernel, dhcp, sudo, and others.  More info.
OpenSUSE has updated sudo.  More info.
Debian has updated sudo.  More info.
Ubuntu has updated sudo.  More info.
Amazon Linux has updated sudo.  More info.

A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS (CROS) can be exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.
More info.

SUSE has updated the kernel and others.  More info.
OpenSUSE has updated chromium.  More info.
Oracle Linux has updated the kernel.  More info.

Google has updated the stable channel of Chrome with a version that fixes 8 security vulnerabilities.
More info.

Dell EMC Avamar contains remediation for an XML External Entity Injection vulnerability that may potentially be exploited by malicious users to compromise the affected system.  Note that the CVSS analysis lists Privelege Required as None.
More info.

The latest NetIQ version contains security updates for XSS, java deserialization, and weak encryption.
More info.

HP has added HP PageWide printers to affected product list for a previous bulletin.
More info.

Hitachi has published updates for Global Link Manager, Cosminexus HTTP Server and Hitachi Web Server, and JP1 and IT Operations Director.
More info.

OpenSUSE has updated the kernel.  More info.
Arch Linux has updated chromium, sdl, and outbound.  More info.
Amazon Linux has updated golang, the kernel, and a few others.  More info.

Juniper Quarterly Patches are out addressing vulnerabilities in JunOS and third-party software that could result in DoS, Information Disclosure, cleartext logging of authentication credentials, and MitM.
More info.

iTerm2 with tmux integration is vulnerable to remote command execution.
More info.

The Solarwinds Dameware Mini Remote Client agent supports smart card authentication by default which allows a user to upload an executable to be executed on the host with the privileges of the Local System account. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable.  CVSSv3 of 10
More info.

An unauthorized attacker who has the skills and the access to the hospital network could potentially cause the Infinity M300 device to reboot, lose alarm functionality, and/or lose communication with the Infinity Network.
More info.

Ubuntu has updated python.  More info.

Sunny WebBox, an EOL product of SMA Solar Technology AG contains a CSRF vulnerability. No patch will be available due to the EOL status.
More info.

GE Mark VIe Controller are affected by at least one of the following vulnerabilities. Some versions are affected by both.  Improper Authorization - an unsecured Telnet protocol may allow a user to create an authenticated session using generic default credentials, and pre-configured hard-coded credentials that may allow root-user access to the controller.  Recommendations include disabling Telnet and changing the passwords.
More info.

Beckhoff TwinCAT may be configured to use the Profinet driver.  In that case a denial of service of the controller could be reached by sending special packets to the device.
More info.

Multiple vulnerabilities have been identified in the Cobham EXPLORER 710, a portable satellite terminal used to provide satellite telecommunications and internet access.  Most are local, but one reads:  The web application portal allows unauthenticated access to port 5454 on the device. This could allow an unauthenticated, remote attacker to connect to this port via Telnet and execute 86 Attention (AT) commands.  In other words, RCE.
More info.

NetApp has published four new bulletins, two of which are for third-party software vulnerabilities, no patches yet.  The other two are NetApp  vulnerabilities with patches.
More info.

Clustered Data ONTAP versions 9.0 and higher do not enforce hostname verification under certain circumstances making them susceptible to impersonation via man-in-the-middle attacks.
More info.

SUSE has updated the kernel, firefox, and others.  More info.
OpenSUSE has updated sqlite and others.  More info.
Ubuntu has updated thunderbird and others.  More info.

Microsoft Monthly Patches are out with 59 vulnerabilities, 9 of which are rated Critical.  The October security release consists of security updates for Microsoft Windows, IE, Microsoft Edge, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server Management Studio, Open Source Software, Microsoft Dynamics 365, and Windows Update Assistant.
More info.  And here.

Schneider Electric Monthly Patches include four new and three updated bulletins.  No patches for the new bulletins, but the updated bulletins report fixed software for previously identified vulnerabilities.
More info.

Schneider Electric is aware of several vulnerabilities in many of its Modicon brand of programmable logic controllers.  DoS during upgrade and various  information exposure vulnerabilities.  No patches.
More info.  And here.  And here.  And here.

SAP Monthly Patches include seven new bulletins and one update.  Two are rated Hot News with CVSSv3 scores of 9.3 and 9.1, addressing missing authentication and information disclosure vulnerabilities.  One is rated High, the rest Medium.
More info.

Qualcomm has published their monthly bulletin for QTI closed-source product and Code Aurora Forum open-source.  A total of 15 vulnerabilities, nine rated Critical, six rated High.  Six vulnerabilities have a Remote Access Vector, leading to buffer overflow, buffer over-read, authentication bypass, and DoS.
More info.

Siemens Monthly Patches include five new bulletins and ten updated bulletins.  Note the updated bulletins include additional CVEs or removal of CVEs from the fixed lists, new updates for products, or still no updates, be sure to take a look at those as well.
More info.

A vulnerability in SIMATIC WinAC RTX (F) 2010 controller software could allow an attacker to perform a denial-of-service attack if a large HTTP request is sent to the network port of the host where WinAC RTXis running.
More info.

A vulnerability in affected Profinet devices could allow an attacker to perform a denial-of-service attack if a largeamount of specially crafted UDP packets are sent to the device.  Some updates, mostly remediation
More info.

A vulnerability in affected Industrial Real-Time (IRT) products could allow an unauthorized attacker with network access toperform a denial-of-service attack resulting in loss of real-time synchronization.
More info.

Apple has published security updates for iTunes, iCloud, and macOS Catalina.
More info.

iTunes includes fixes for RCE and XSS in WebKit and UIFoundation.  Ditto iCloud.
More info.  And here.  And here.

macOS includes fixes for RCE, memory corruption, and race conditions.
More info.

Google has published their Monthly Patches for Android.  There are nine vulnerabilities addressed, plus Qualcomm vulnerabilities.  Three are rated Critical, five are rated High.  RCE, Information Disclosure, and Elevation of Privilege vulnerabilities are addressed.
More info.

The Pixel Monthly bulletin is out, with one vulnerability rated High for Information Disclosure, plus Qualcomm vulnerabilities.
More info.

OpenSUSE has updated php, putty, dovecot, and others.  More info.
RedHat has updated python, wget, bind, the kernel, and others.  More info.
Mageia has updated firefox.  More info.

Project Zero is reporting a vulnerability originally patched by Google in Dec 2017 still unpatched in several handsets, including Pixel 2, Samsung S7/S8/S9 and others.  There are reports this is exploited in the wild.
More info.

IBM QRadar Network Security has been patched for openssh, openssl, and linux vulnerabilities.
More info.  And here.  And here.

Avaya has published an update for Media Server that fixes several vulnerabilities in the underlying RedHat OS, as well as forcing customer account password change on initial login, which is a Good Thing for security.
More info.

SUSE has update, java, bind, openssl, nginx, and others.  More info.
OpenSUSE has updated thunderbird, firefox, openssl, bind, php, nginx, and others.  More info.
Debian has updated jackson-databind.  More info.

A potential security vulnerability has been identified with Samsung Laser Printers. This vulnerability could potentially be exploited to create a denial of service.  CVSSv3 score of 7.5
More info.

NetApp has published six new bulletins for third-party software in their products.  One has a CVSSv3 score of 9.8.  No patches yet.
More info.

SUSE has update, java, bind, openssl, nginx, and others.  More info.
OpenSUSE has updated thunderbird, firefox, openssl, bind, php, nginx, and others.  More info.
Mageia has updated thunderbird.  More info.
Amazon Linux has updated nss, thunderbird, libssh, nginx, mysql, nghttp2, and others.  More info.  Note there is an Amazon Linux 2 page now with a separate update list, know which one you have.

The Shibboleth Identity Provider supports a number of login flows that rely on servlets or JSP pages to operate, including External, RemoteUser, X509, and SPNEGO. These flows are vulnerable to a denial of service attack by a remote, unauthenticated attacker, via Java heap exhaustion due to the creation of objects in the Java Servlet container session.
More info.

A reported vulnerability in QNAP NAS may affect Music Station. If exploited, the vulnerability may allow an attacker to inject arbitrary code into the system.
More info.

A reported OpenSSL vulnerability may affect QNAP NAS devices. If exploited, the vulnerability may allow attackers to run arbitrary code on the NAS.
More info.

Tcpdump has published a new version with a large number of vulnerabilities addressed.  No further details in the notice, just a link to the list of CVEs.
More info.

Cisco has published 33 new bulletins, 13 rated High and the rest Medium.
More info.

A vulnerability in the SIP inspection module of Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. The vulnerability is due to improper parsing of SIP messages. An attacker could send a malicious SIP packet and trigger an integer underflow, causing the software to try to read unmapped memory and resulting in a crash.
More info.

A vulnerability in IKEv1 of Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a DoS condition. The vulnerability is due to improper management of system memory. An attacker could send malicious IKEv1 traffic to an affected device to exhaust system memory resources leading to a reload of the device. Valid credentials to authenticate the VPN session are not needed, nor does the source address.
More info.

A vulnerability in the FTP inspection engine of Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. An attacker could exploit this vulnerability by sending malicious FTP traffic through an affected device. A successful exploit could allow the attacker to cause a DoS condition on the affected device.
More info.

SUSE has update, dovecot, thunderbird, and others.  More info.
CentOS has updated the kernel.  More info.

The Interpeak IPnet stack vulnerabilities were first reported under as the Urgent/11 affecting Wind River VxWorks. These vulnerabilities have expanded beyond the affected VxWorks systems and affect additional real-time operating systems (RTOS), including ENEA, Green Hills Software, ITRON, IP Infusion, and Wind River.  Again, this flows to all the devices that use these RTOS versions with the Interpeak IPnet stack.
More info.

Bulletins are mixed with the VxWorks bulletins, but CISA is reporting bulletins from BD, Drager, GE Healthcare, Philips Healthcare, and Spacelab.  See the CISA bulletin linked above.

Multiple security vulnerabilities have been fixed and delivered in IBM Security Directory Server, including XSS, XML manipulation, brute force attack, and others.
More info.

Two product vulnerabilities were identified in Moxa’s EDR-810 Series secure routers.  Improper input on the web console via the Admin or ConfigAdmin account allows unauthorized commands to be performed on the router, and the log information may be retrieved by an unauthenticated attacker, which may allow sensitive information to be disclosed.
More info.

One product vulnerability was identified in Moxa’s EDR-810 Series Secure Routers, multiple functions in the web server allow users to execute arbitrary codes.
More info.

Eleven security bulletins have been published for Zingbox Inspector, including hardcoded SSH credentials, storage of plaintext credentials, ARP spoofing, software update tampering, and RCE
More info.

SUSE has update, openssl, bind, and others.  More info.
OpenSUSE has updated chromium, nghttp2, and u-boot.  More info.
Arch Linux has updated ruby, systemd, and exim.  More info.
RedHat has updated nodejs.  More info.
Oracle Linux has updated the kernel.  More info.
Debian has updated openssl.  More info.
Ubuntu has updated clamav.  More info.

Security vulnerabilities in HPE UIoT version 1.2.4.2 could allow unauthorized remote access and access to sensitive data.  CVSSv3 score of 9.6.
More info.

A potential security vulnerability has been identified in HPE SimpliVity 380 and 2600, SimpliVity OmniCube, OmniStack for Cisco, Lenovo, and Dell. The deprecated Set_Axeda() and Set_Rda() APIs accept a path to a file and can be used touch or delete arbitrary files on the nodes as root. These APIs do not require user authentication and are accessible over the management network, resulting in a remote availability and integrity vulnerabilities.  CVSSv3 score of 9.1
More info.

A vulnerability exists in CA Network Flow Analysis that can allow a remote attacker to execute arbitrary commands.
More info.

Multiple RCE vulnerabilities have been identified in PhantomPDF.
More info.

RedHat has updated apache in JBoss and kpatch.  More info.
Oracle Linux has updated nodejs.  More info.
Ubuntu has updated the kernel and others.  More info.

A vulnerability has been discovered in PHP, which could allow an attacker to execute arbitrary code. PHP is prone to a heap-based buffer-overflow vulnerability because the 'mb_eregi()' function fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.
More info.

There is a heap-based buffer overflow in string_vformat. The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.
More info.

Improper input on the web console via the Admin or ConfigAdmin account allows unauthorized commands to be performed on the router, and log information may be retrieved by an unauthenticated attacker, which may allow sensitive information to be disclosed.
More info.

IBM Sterling File Gateway could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.  Also, IBM Sterling B2B Integrator Standard Edition displays sensitive information in HTTP requests which could be used in further attacks against the system.
More info.

A maliciously crafted print file might cause certain HP Inkjet printers to assert. Under certain circumstances, the printer produces a core dump to a local device.
More info.

PuTTY has published an upate with two security fixes, including one that allows other applications to bind to the same TCP port as a PuTTY local port forwarding.
More info.

SUSE has updated gpg2.  More info.
OpenSUSE has updated phpmyadmin, expat, and others.  More info.
RedHat has updated nodejs.  More info.
CentOS has updated dovecot, openjdk, the kernel, and others.  More info.
Debian has updated exim, wpa, and others.  More info.
Ubuntu has updated exim.  More info.
Mageia has updated chromium, nghttp2, and others.  More info.