ABB has published seven bulletins regarding products that contain the Wind River VxWorks IPNet vulnerabilities that became public last July.  These include FOX615 Multiservice-Multiplexer, Relion 670, Relion 650, SAM600-IO Series, AFS66x, NSD570 Teleprotection Equipment, ETL600 Power Line Carrier System, REB500, and RTU500 series.
More info.

An improper neutralization of input vulnerability in the FortiGateCloud login page may allow a remote unauthenticated attacker to perform a reflected cross site scripting attack (XSS) via a specifically crafted login request.
More info.

OpenSUSE has updated python, pdns-recursor, tomcat, gcc, and others.  More info.
Arch Linux has updated freerdp.  More info.
RedHat has updated the kernel and others.  More info.
Debian has updated netqmail.  More info.
Ubuntu has updated the kernel.  More info.
Mageia has updated the kernel, clamav, wireshark, dns resolvers, and others.  More info.

During installation or upgrade to C•CURE 9000 and victor Video Management System, the credentials of the Windows account used to perform the installation or upgrade is logged in a file. The install log file persists after the installation. This results in unintended plain text storage of the Windows user credentials. CVSSv3 score of 9.9
More info.

An elevation of privilege vulnerability exists in Microsoft Edge (Chromium-based) when the Feedback extension improperly validates input. An attacker who successfully exploited this vulnerability could write files to arbitrary locations and gain elevated privileges.
More info.

NetApp has published two security bulletins about vulnerabilities in third-party software included in their products.  No patches yet.
More info.

SUSE has updated tomcat, bind, dovecot and others.  More info.
RedHat has updated .NET and dotnet.  More info.
CentOS has updated squid.  More info.
Debian has updated pdns-recursor.  More info.
Ubuntu has updated clamav, the kernel, and others.  More info.

Cisco has published five security bulletins, one rated Critical, one rated High, and three rated Medium.
More info.

A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
More info.

A vulnerability in the DHCP server of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
More info.

Apple has published updates for iOS, iPadOS, tvOS, and xCode.  Details for most are not yet available.
More info.

DB2 contains several vulnerabilities which can affect the IBM Performance Management product.  Highest CVSSv3 score of 9.8
More info.

IBM DataPower Gateway is affected by multiple vulnerabilities in Dojo. Highest CVSSv3 score of 7.5
More info.

Xerox has published several bulletins regarding Solaris, Java, Firefox, and BIOS updates for the FreeFlow Print Server platforms.
More info.

Traffix SDC contains a vulnerability that allows an attacker to trigger a DoS attack through memory exhaustion.  No patch yet
More info.

Element OS and Element HealthTools are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information.
More info.

FortiAnalyzer and FortiManager are vulnerable to a 2004 CVE that allows remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST or SYN packet.
More info.

SUSE has updated bind and others.  More info.
Arch Linux has updated bind, unbound, chromium, and ant.  More info.
CentOS has updated firefox, squid, thunderbird, and the kernel.  More info.
Debian has updated dovecot.  More info.

Google has updated Chrome for Desktop to correct 38 security vulnerabilities.
More info.

Emerson OpenEnterprise SCADA software contains several vulnerabilities.  Successful exploitation of these vulnerabilities could allow an attacker access to OpenEnterprise configuration services or access passwords for OpenEnterprise user accounts.  Highest CVSSv3 score of 10.0
More info.

NXNSAttack allows malicious parties to use recursive DNS services to attack third party authoritative name servers.
More info. And here.

PowerDNS Recursor has released a fix. More info.
Microsoft is aware, no patch. More info.
Unbound has updated their DNS resolver for the these issues. More info.
Same for Knot Resolver. More info.
ISC BIND has updated.  More info.

TIBCO JasperReports Server contains a vulnerability that allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can exploit the vulnerability consistently, remotely, and without authenticating. Highest CVSSv3 of 9.8
More info.

Potential remote access security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to access and modify sensitive information on the system. CVSSv3 score of 9.9
More info.

Potential remote code execution security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to gain elevated privileges on the array. CVSSv3 score of 9.9
More info.

Multiple components within the Dell EMC Unity, Dell EMC Unity VSA, and Dell EMC Unity XT Product Families require a security update to address various vulnerabilities.  Dell has rated this Critical.
More info.

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
More info.

SUSE has updated dpdk, python, and others.  More info.
Arch Linux has updated openconnect, powerdns, and dovecot.  More info.
RedHat has updated java, the kernel, and others.  More info.
Debian has updated bind.  More info.
Ubuntu has updated exim and bind.  More info.

Moodle contains two vulnerabilities rated Serious. The first allows RCE, the second allows stored XSS.
More info. And here.

Adobe has published updates for Premier Rush, Audition, Premier Pro, and Character Animator.  Vulnerabilities fixed include OOB memory read leading to information disclosure, privilege escalation, and stack overflow reading to RCE.
More info.

Apple has published updates for watchOS.  Details aren't yet available.
More info.

Multiple vulnerabilities in Apache Solr (lucene) were addressed by IBM InfoSphere Information Server. CVSSv3 score of 9.8
More info.

A CSRF vulnerability was discovered in the web user interface of F-Secure Linux Security. An unauthenticated user can send the CSRF request to the web user interface. A successful attack can lead to the product settings being disabled remotely through the web interface. These include antivirus, the firewall, and the integrity protection settings.
More info.

An error in BIND code which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in denial of service to clients.
More info.

BIND does not sufficiently limit the number of fetches which may be performed while processing a referral response. A malicious actor who intentionally exploits this lack of limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral, resulting in degraded performance or use as a reflector in a reflection attack with a high amplification factor.
More info.

Debian has updated dpdk.  More info.
Ubuntu has updated the kernel and dpdk.  More info.

Microsoft has revised the Security Updates table of CVE-2020-1108 to include PowerShell Core 6.2 and 7.0 because they are affected by CVE-2020-1108.
More info.

PHP 7 has been updated to fix two security bugs that allow long variables and long file names to cause OOM and possible crash.
More info. And here. And here.

Ewon eCatcher contains a vulnerability that may allow an attacker to eavesdrop the connection with a forged certificate.
More info.

IBM Sterling B2B Integrator has addressed multiple security vulnerabilities in jackson-databind.  CVSSv3 score of 9.8
More info.

A widely used function in the OpenJ9 JVM is vulnerable to buffer overflows. Multiple Java Runtime components use the vulnerable code, so the issue can manifest in a number of different ways.
More info.

A potential XSS vulnerability has been identified in Service Manager. The vulnerability could be exploited to allow remote attackers to inject arbitrary web script or HTML.
More info.

NetApp has published eight new security bulletins covering vulnerabilities in third-party software included in their products.  No patches yet.
More info.

SUSE has updated mailman and others.  More info.
OpenSUSE has updated mailman and others.  More info.
Arch Linux has updated keycloak.  More info.
Oracle Linux has updated the kernel.  More info.
Debian has updated exim and apache-log4j.  More info.
Ubuntu has updated dovecot.  More info.
Mageia has updated ntp, flash, libreswan, and others.  More info.

Emerson WirelessHART Gateways contain a vulnerability which disables the internal gateway firewall if the VLAN feature is enabled. Once the gateway's firewall is disabled, a malicious user could issue specific commands to the gateway, which could then be forwarded on to the end user's wireless devices. CVSSv3 score of 10.0
More info.

Multiple security vulnerabilities exist in Opto 22 SoftPAC Project, a virtual PLC. Highest CVSSv3 score of 9.8
More info.

APTARE has been updated to correct several security issues, including Information Disclosure, Authorization bypass, and Authentication weakness.
More info.

VMware Directory Service (vmdir) within Dell EMC VxFlex Integrated Rack requires a security update to address a vulnerability. CVSSv3 score of 9.8
More info.

Hitachi has published updates to correct a DoS vulnerability in JP1/Automatic Job Management System, Compute Systems Manager, Command Suite, Automation Director, Configuration Manager, Infrastructure Analytics Advisor and Ops Center.
More info.

SUSE has updated the kernel and others.  More info.
RedHat has updated the kernel.  More info.
Gentoo Linux has updated freerdp, libmicrodns, chromium, and others. More info.
Amazon Linux has updated php, the kernel, java, and others.  More info.
Amazon Linux 2 has updated the kernel.  More info.

Micro Focus has published an update for NetIQ Access Manager, that fixes an information leak in debug mode.
More info. And here.

Multiple security vulnerabilities in Jackson-databind Affect IBM Sterling B2B Integrator. Highest CVSSv3 score of 9.8
More info.

Multiple components within Dell EMC DCA require a security update to address various vulnerabilities in the kernel, sudo, ppp, openjdk, and php. Dell has rated this Critical.
More info.

Palo Alto Networks has published 28 new bulletins. One is rated Critical, five are listed as exploitable by remote attackers with low complexity.
More info.

An authentication bypass vulnerability in the Panorama context switching feature allows an attacker with network access to a Panorama's management interface to gain privileged access to managed firewalls.
More info.

Improper restriction of XXE vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.
More info.

SUSE has updated apache2 and others.  More info.
RedHat has updated .NET core and others.  More info.
Debian has updated apt and libreswan.  More info.
Ubuntu has updated apt, iproute, squid, and others.  More info.

Microsoft Monthly Patches are out.  There are 111 vulnerabilities, 16 rated Critical.  Affected products include Microsoft Windows, Microsoft Edge (HTML and Chromium based), ChakraCore, IE, Office and Office Services and Web Apps, Defender, Visual Studio, Microsoft Dynamics, .NET Framework, .NET Core, and Power BI. Highest CVSSv3 score of 8.8
More info.  And here.

Adobe has published Monthly Patches including updates for Acrobat and Reader for Windows and macOS, and DNG SDK for Windows and macOS.  Successful exploitation of some of these vulnerabilities could lead to arbitrary code execution.
More info.  And here.

Schneider Electric has published Monthly Patches.  There are four new bulletins and five updated bulletins.  The new bulletins affect Pro-face GP-Pro EX Programming Software, Vijeo Designer, U.motion Servers and Touch Panels, and EcoStruxure Operator Terminal Expert.
More info.

Use of Hard-coded Credentials vulnerability exists which could cause unauthorized read and write when downloading and uploading project or firmware into Vijeo Designer Basic and Vijeo Designer.
More info.

U.motion Servers and Touch Panels contain an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, which could cause arbitrary code to be executed when a malicious command is entered.
More info.

ClamAV has published a new release that fixes two CVEs, both of which could result in a DoS.
More info.

IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the vulnerabilities reported in Apache Tomcat. Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by a file read/inclusion vulnerability in the AJP connector.
More info.

McAfee has published an ePolicy Orchestrator update that fixes Java vulnerabilities, most of which can be exploited by remote attackers.
More info.

SUSE has updated the kernel.  More info.
RedHat has updated the kernel and others.  More info.
Oracle Linux has updated the kernel.  More info.
Gentoo Linux has updated squid, firefox, thunderbird, and others.  More info.

SAP Monthly Patch day brings 18 security notes and 4 updated notes.  Six security Notes are rated Hot News, five are rated High, the rest Medium.  Three cover Missing Authentication Checks, one is Missing Authentication, two allow DoS.  Highest CVSSv3 score is 9.8
More info.

Siemens has released their Monthly Patches.  There is one new bulletin for Urgent/ll in Power Meters, and six updated bulletins.
More info.

BIG-IP Edge Client Windows contains a vulnerability which allows an attacker to trigger memory corruption to the browser or execute code from the browser when the attacker crafts a malicious webpage and loads it into the Internet Explorer browser by BIG-IP Edge Client users.
More info.

IBM API Connect is impacted by vulnerabilities in PHP that could allow DoS or RCE. Highest CVSSv3 score of 9.8
More info.

A malicious IKEv1 packet can cause libreswan to restart.  While building a log message that the packet has been dropped, a NULL pointer dereference causes libreswan to crash and restart when it attempts to log the state name involved.
More info.

RedHat has updated libreswan, chromium, and others.  More info.
Oracle Linux has updated thunderbird and the kernel.  More info.

SAP Monthly Patch day brings 18 security notes and 4 updated notes.  Six security Notes are rated Hot News, five are rated High, the rest Medium.  Three cover Missing Authentication Checks, one is Missing Authentication, two allow DoS.  Highest CVSSv3 score is 9.8
More info.

Siemens has released their Monthly Patches.  There is one new bulletin for Urgent/ll in Power Meters, and six updated bulletins.
More info.

BIG-IP Edge Client Windows contains a vulnerability which allows an attacker to trigger memory corruption to the browser or execute code from the browser when the attacker crafts a malicious webpage and loads it into the Internet Explorer browser by BIG-IP Edge Client users.
More info.

IBM API Connect is impacted by vulnerabilities in PHP that could allow DoS or RCE. Highest CVSSv3 score of 9.8
More info.

A malicious IKEv1 packet can cause libreswan to restart.  While building a log message that the packet has been dropped, a NULL pointer dereference causes libreswan to crash and restart when it attempts to log the state name involved.
More info.

RedHat has updated libreswan, chromium, and others.  More info.
Oracle Linux has updated thunderbird and the kernel.  More info.

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which have been determined to affect VMware vRealize Operations Manager. Highest CVSSv3 score of 10.  Patches are coming, workarounds recommended.
More info.

A vulnerability in SRM allows remote attackers to conduct DoS attacks via crafted network traffic. CVSSv3 score of 8.6
More info.

NetApp has published six new bulletins covering vulnerabilities in third-party software included in their products.  No patches yet.
More info.

SUSE has updated firefox, thunderbird, squid, and others.  More info.
OpenSUSE has updated squid, firefox, thunderbird, php, chromium, and others.  More info.
Arch Linux has updated thunderbird.  More info.
Debian has updated thunderbird and squid.  More info.
RedHat has updated thunderbird.  More info.
Oracle Linux has updated firefox.  More info.
Mageia has updated chromium.  More info.