Researchers have identified a number of vulnerabilities, including backdoors, hardcoded credentials, authentication bypass, and unauthorized access.  FiberHome websites are unresponsive at the moment.
More info.

There is a missing authorization vulnerability in the Apache Solr service that is distributed as part of Watson Knowledge Catalog for IBM Cloud Pak for Data. CVSSv3 score of 9.4
More info.

NetApp has published 8 new bulletins identifying vulnerabilities in third-party software included in their products.
More info.

Apache Tomcat could allow a remote attacker to obtain sensitive information. By sending a specially-crafted request, an attacker can view the source code for JSPs in some configurations, and use this information to launch further attacks against the affected system.
More info.

SUSE has updated the kernel and several other packages. More info.
Ubuntu has updated the kernel and several other packages. More info.
RedHat has updated the kernel and openshift. More info.
Mageia has updated the kernel. More info.
Amazon Linux has updated the kernel and several other packages. More info.
Alpine Linux has released version 3.13.0. More info.

Palo Alto Networks Monthly patches are two vulnerability bulletins and one informational. Highest CVSSv3 score of 4.4
More info.

Juniper Quarterly Patches are out, with 23 bulletins.  Several remote, unauthenticated DoS vulnerabilities are addressed, as well as third-party software vulnerabilities in the products.
More info.

A vulnerability that allows an unauthenticated remote attacker to obtain access that would otherwise be denied in the Simple Authentication and Security Layer (SASL) implementation that is part of the OpenLDAP third party software package has been resolved in Juniper Networks SRX Series configured with Integrated User Firewall. CVSSv3 score of 7.4
More info.

An Information Exposure vulnerability in J-Web of Juniper Networks Junos OS allows an unauthenticated attacker to elevate their privileges over the target system through opportunistic use of an authenticated users session. CVSSv3 score of 6.8
More info.

Cisco has published 23 new bulletins, four are rated High.
More info.

A remote, authenticated or anonymous attacker can exploit a vulnerability in Nagios Enterprises Nagios XI to execute arbitrary program code with administrator rights, to reveal information and to carry out a cross-site scripting attack.
More info.

IBM has published new bulletins, seven with a Critical rating. All the Critical bulletins have CVSSv3 scores of 9.8.  Products include MaaS360 Cloud Extender, App Connect Enterprise, Integration Bus, Guardium Data Encryption, and Security Privileged Identity Manager.
More info.

Multiple security vulnerabilities (Ripple20) have been identified in the optional HP/HPE R7000 and R5000 Uninterruptable Power System Network Module Firmware (AF465A). The vulnerabilities could be remotely exploited to execute code, cause denial of service, and expose sensitive information.
More info.

Dell has updated EMC Enterprise Hybrid Cloud to patch multiple VMWare vulnerabilities. Dell rates this Critical.
More info.

Dell EMC Avamar Server contains remediation for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system. Dell rates this Critical. Highest CVSSv3 score of 10
More info.

Aruba has released updates to Airwave Glass that address multiple security vulnerabilities that would allow an unauthenticated remote attacker to bypass authentication, arbitrary code execution, and arbitrary command execution. Highest CVSSv3 score of 9.8
More info.

Huawei has updated their products to fix an Apache Struts2 remote code execution vulnerability.  CVSSv3 score of 9.8
More info.

SUSE has updated the kernel, crmsh, and others. More info.
Arch Linux has updated nodejs, atftp, and several others.  More info.
Oracle Linux has updated the kernel. More info.
RedHat has updated the kernel and others. More info.

Microsoft Monthly Patches are out, with patches for 83 vulnerabilities, 10 of which are rated Critical, one has been previously disclosed, and one is actively being exploited.  Highest CVSSv3 score of 8.8
There are security updates for Windows, Edge (EdgeHTML-based), Office and Office Services and Web Apps, Windows Codecs Library, Visual Studio, SQL Server, Malware Protection Engine, .NET Core, .NET Repository, ASP .NET, and Azure.
More info. And here. And here.

SAP Monthly Patches are out, with 10 new Security Notes and 7 updated Notes.  Five are rated Hot News, 1 High, 10 Medium, and 1 Low.  Four address missing authorization vulnerabilities.
More info.

It's Adobe Patch Day, and they have published seven updates, including updates for Bridge, Captivate, InCopy, Campaign Classic, Animate, Illustrator, and Photoshop.  All the vulnerabilities are rate Critical.
More info.

Siemens Monthly Patches have been published, with four new bulletins and eight updated bulletins. 
More info.

Several SCALANCE X switches contain vulnerabilities in the web server of the affected devices.An unauthenticated attacker could reboot, cause denial-of-service conditions and potentially impact thesystem by other means through heap and buffer overflow vulnerabilities. CVSSv3 score of 9.8
More info.

Scalance X devices might not generate a unique random key after factory reset, and use a private keyshipped with the firmware. CVSSv3 score of 9.1
More info.

Schneider Electric Monthly Patches consist of three new bulletins and four updated bulletins.
More info.

Schneider Electric uses Treck Inc.’s HTTP Server component in the Sepam ACE850, which contains a heap-based buffer overflow.  CVSSv3 score of 10
More info.

EcoStruxure Operator Terminal Expert (formerly known as Vijeo XD) and Pro-face BLUE products contain an Improper Input Validation vulnerability exists that could cause arbitrary code execution when the Ethernet Download feature is enable on the HMI. CVSSv3 score of 8.8
More info.

Mozilla has published an update for Thunderbird, rated Critical, which could be used for RCE.
More info.

HCL Commerce contains an unspecified vulnerability that could allow denial of service, disclosure of user personal data, and performing of unauthorized administrative operations. CVSSv3 score of 9.8
More info.

HCL Commerce contains an information disclosure vulnerability that could allow a remote attacker to obtain user personal data. CVSSv3 score of 7.5
More info.

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. 
More info.

Gentoo Linux has published 8 new security updates. More info.

Microsoft has updated chromium-based Edge with the latest chromium patches.
More info.

Hitachi ABB Power Grids FOX615 Multiservice-Multiplexer contain a vulnerability in the libssh library that allows an attacker to send a specially crafted message to the device, causing it to open a communication channel without first performing authentication which may allow an attacker to execute arbitrary commands. CVSSv3 score of 9.1
More info.

IBM has published updates to Netcool Operations Insight that fixes vulnerabilities in node.js. CVSSv3 score of 9.8
More info.

NetApp has published seven new bulletins regarding vulnerabilities in third-party software included in NetApp products.  Few patches available.
More info.

Element OS is susceptible to a vulnerability that could allow an unauthenticated remote attacker to perform arbitrary code. Vulnerable versions are only exploitable for a limited window during the boot process. CVSSv3 score of 7.5
More info.

Oracle Linux has updated the kernel. More info.

A vulnerability has been discovered in Firefox, Firefox ESR and Firefox for Android, which could allow for arbitrary code execution.
More info.

Google has updated Chrome for Desktop to include 16 security fixes, most rated High.
More info.

PHP has been patched to correct a vulnerability where PHP accepts URLs with invalid userinfo.
More info. And here.

IBM has addressed Critical vulnerabilities in third-party software included in their products.  NGINX, Golang, jackson-databind, and Docker vulnerabilities are patched in Spectrum Discover, Event Streams, IBP, and Aspera High-Speed Sync. Highest CVSSv3 score of 9.8
More info.

A blind SQL injection in the user interface of FortiWeb may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement. CVSSv3 score of 6.4
More info.

A stack-based buffer overflow vulnerability in FortiWeb may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname. CVSSv3 score of 6.4
More info.

Red Lion has reported two vulnerabilities in Crimson.  A NULL pointer deference vulnerability has been identified in the protocol converter. An attacker could send a specially crafted packet that could reboot the device, and the default configuration of the affected product allows a user to be able to read and modify the database without authentication. Highest CVSSv3 score of 7.5
More info.

Meinberg has patched the LANTIME products to fix a vulnerability in OpenSSL.  CVSSv3 score of 5.9
More info.

SUSE has updated python, java, and others. More info.
Ubuntu has updated the kernel and others. More info.

Qualcomm Monthly Patches are out with 17 CVEs addressed.  Six are rated Critical, 10 rated High, and one rated Moderate. Highest CVSSv3 score of 9.8
More info.

It's Android Patch Day, with 27 addressed vulnerabilities plus the Qualcomm patch set.  Two are rated Critical, 24 are rated High, and one Moderate.  Of note, the most severe vulnerabilities could enable a remote attacker to execute arbitrary code or cause a permanent denial of service.
More info.

Pixel monthly patches add four more vulnerabilities, one rated High and the rest Moderate.
More info.

Samsung has published their Monthly Patches.  In addition to the Google Android patches there are nine Samsung vulnerabilities addressed, but only four are disclosed.  One of those is rated High and three Moderate.
More info.

NEC Platforms UNIVERGE SV9500/SV8500 series products could allow a remote attacker to execute arbitrary commands on the system, caused by an OS command injection flaw. CVSSv3 score of 8.8
More info.

Arch Linux has updated rsync and others. More info.
RedHat has updated the kernel. More info.
Oracle Linux has updated the kernel. More info.

PEPPERL+FUCHS multiple Comtrol IO-LInk Master products contain multiple vulnerabilities that allow remote attackers to gain access to the device and execute any program and tap information. Highest CVSSv3 score of 8.8
More info.

A security restrictions bypass vulnerability exists in Stable Yield Credit (yCREDIT). The vulnerability allows a remote attacker to bypass implemented security restrictions and obtain more yCREDIT tokens than they should. CVSSv3 score of 7.2  This has been exploited in the wild.
More info.

Ubuntu has updated libproxy. More info.
Mageia has updated libxml2, ethtool, and others. More info.

Cross Site Request Forgery on previous versions of NSM might allow an attacker to change the configuration in the NSM UI. CVSSv3 score of 6.6
More info.

Traffix SDC uses Apache Tomcat which contains a HTTP request header re-use vulnerability.  A remote attacker can exploit this vulnerability to obtain sensitive data from information leakage between HTTP requests. CVSSv3 score of 7.5
More info.

A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Synology Router Manager (SRM).
More info.

Mageia has updated curl. More info.

A vulnerability has been reported in QNAP NAS software which allows an attacker to access sensitive information stored in cleartext inside cookies via certain widely-available tools. 
More info.

A vulnerability has been reported to affect QNAP devices which allows a remote attacker to gain access to sensitive information during cleartext transmission.
More info.

HCL Domino is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API. An unauthenticated attacker could could exploit this vulnerability to crash the Domino server.  CVSSv3 score of 5.3
More info.

SUSE has updated squid and others. More info.

The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands.
More info. And here.

Rockwell Automation reports vulnerabilities within FactoryTalk Linx software and FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions. Highest CVSSv3 score of 7.5  No patches yet.
More info. And here.

SUSE has updated gimp, cyrus-sasl, and others. More info.
Debian has updated roundcube and horizon.  More info.
Mageia has updated roundcube, python, and others. More info.

HP has identified a potential security vulnerability with the IPv6 network stack of certain HP and Samsung branded printers that could result in a denial of service. CVSSv3 score of 5.3   No patches yet.
More info.

SUSE has updated thunderbird and others. More info.
Gentoo Linux has updated haproxy, apache tomcat, and samba. More info.
Mageia has updated erlang-rebar3. More info.