IBM has announced a security update for IBM Security Identity Governance and Intelligence (IGI). Hard coded credentials have been removed from the IBM Security Directory Integrator version used by IBM Security Identity Governance and Intelligence.  Also, the Virtual Appliance is vulnerable to an XML External Entity Injection (XXE) attack that could expose sensitive information or consume memory resources.
More info. And here.

Two vulnerabilities were found in the Community Virtual Appliance, which would allow a remote attacker with access to the management console and administrator rights to execute arbitrary privilege commands on the operating system.
More info. And here.

Micro Focus has published a security patch for Identity Intelligence and NetIQ Identity Manager.  The vulnerability could be exploited to unauthorized access in several products built on the Micro Focus CDF, including ArcSight Investigate, Transformation Hub, ArcSight Interset, ArcSight ESM, ArcSight Investigate, Transformation Hub, Operation Bridge Suite, Network Operation Management, Data Center Automation, Hybrid Cloud Management, and SMA.
More info. And here. And here. And here. And here. And here. And here. And here.

Cloud Optimizer contains the Apache Tomcat AJP vulnerability, which could be exploited to file content disclosure of the web application or remote code execution.
More info.

Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE) incorporate a version of SaltStack that is affected by Authentication Bypass and Directory Traversal vulnerabilities.
More info.

The NSA is reporting that Russian cyber actors, known publicly as Sandworm, have been exploiting a vulnerability in Exim MTA software since at least August 2019. A patch was released June 2019. If you haven't patched, you're part of the problem.
More info.

RedHat has updated git, freerdp, bind, and more.  More info.
Oracle Linux has updated git.  More info.

SWARCO Traffic Systems product CPU LS4000 contains an open port used for debugging which grants root access to the device without access control via network. A malicious user could use this vulnerability to get access to the device and disturb operations with connected devices. CVSSv3 score of 10
More info.

Hirschmann OWL devices are vulnerable to the pppd EAP buffer overflow, which allows remote attackers to execute arbitrary code. CVSSv3 score of 9.8
More info.

Multiple components within Dell EMC SRS Virtual Edition require a security update to address various vulnerabilities.  Dell has rated this a Critical update.
More info.

NetApp has published six new bulletins covering vulnerabilities in third-party software included in their products.  No patches yet.
More info.

SUSE has updated the tomcat.  More info.
Debian has updated unbound.  More info.
Ubuntu has updated openssl, php, unbound, and others.  More info.

Inductive Automation Ignition 8 Gateway contains several vulnerabilities, including Missing Authentication and Deserialization of Untrusted Data.  Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information and perform remote code execution with SYSTEM privileges. Highest CVSSv3 score of 9.8
More info.

Bosch Recording Station uses Windows 7, and is affected by EternalBlue and BlueKeep, as well as Kiosk mode escape.  No patches, closed network access and physical appliance upgrade are recommended.
More info.

Apple has published security updates for macOS, Safari, iCloud, and Windows Migration Assistant, containing  RCE, Information Disclosure, and DoS vulnerabilities. Also, details for security updates published last week are now available.
More info.

Trend Micro has released a new Critical Patch for Trend Micro InterScan Web Security Appliance (IWSVA) 6.5.  This resolves multiple vulnerabilities related to XSS, directory traversal information disclosure, authenticated command injection and authentication bypass. 
More info.

SUSE has updated the kernel, mariadb, and others.  More info.
Arch Linux has updated freerdp.  More info.
RedHat has updated the kernel, jackson-databind, ruby, and others.  More info.
Debian has updated unbound.  More info.
Ubuntu has updated thunderbird.  More info.
Mageia has updated nginx and others.  More info.

ABB has published seven bulletins regarding products that contain the Wind River VxWorks IPNet vulnerabilities that became public last July.  These include FOX615 Multiservice-Multiplexer, Relion 670, Relion 650, SAM600-IO Series, AFS66x, NSD570 Teleprotection Equipment, ETL600 Power Line Carrier System, REB500, and RTU500 series.
More info.

An improper neutralization of input vulnerability in the FortiGateCloud login page may allow a remote unauthenticated attacker to perform a reflected cross site scripting attack (XSS) via a specifically crafted login request.
More info.

OpenSUSE has updated python, pdns-recursor, tomcat, gcc, and others.  More info.
Arch Linux has updated freerdp.  More info.
RedHat has updated the kernel and others.  More info.
Debian has updated netqmail.  More info.
Ubuntu has updated the kernel.  More info.
Mageia has updated the kernel, clamav, wireshark, dns resolvers, and others.  More info.

During installation or upgrade to C•CURE 9000 and victor Video Management System, the credentials of the Windows account used to perform the installation or upgrade is logged in a file. The install log file persists after the installation. This results in unintended plain text storage of the Windows user credentials. CVSSv3 score of 9.9
More info.

An elevation of privilege vulnerability exists in Microsoft Edge (Chromium-based) when the Feedback extension improperly validates input. An attacker who successfully exploited this vulnerability could write files to arbitrary locations and gain elevated privileges.
More info.

NetApp has published two security bulletins about vulnerabilities in third-party software included in their products.  No patches yet.
More info.

SUSE has updated tomcat, bind, dovecot and others.  More info.
RedHat has updated .NET and dotnet.  More info.
CentOS has updated squid.  More info.
Debian has updated pdns-recursor.  More info.
Ubuntu has updated clamav, the kernel, and others.  More info.

Cisco has published five security bulletins, one rated Critical, one rated High, and three rated Medium.
More info.

A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
More info.

A vulnerability in the DHCP server of Cisco Prime Network Registrar could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
More info.

Apple has published updates for iOS, iPadOS, tvOS, and xCode.  Details for most are not yet available.
More info.

DB2 contains several vulnerabilities which can affect the IBM Performance Management product.  Highest CVSSv3 score of 9.8
More info.

IBM DataPower Gateway is affected by multiple vulnerabilities in Dojo. Highest CVSSv3 score of 7.5
More info.

Xerox has published several bulletins regarding Solaris, Java, Firefox, and BIOS updates for the FreeFlow Print Server platforms.
More info.

Traffix SDC contains a vulnerability that allows an attacker to trigger a DoS attack through memory exhaustion.  No patch yet
More info.

Element OS and Element HealthTools are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information.
More info.

FortiAnalyzer and FortiManager are vulnerable to a 2004 CVE that allows remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST or SYN packet.
More info.

SUSE has updated bind and others.  More info.
Arch Linux has updated bind, unbound, chromium, and ant.  More info.
CentOS has updated firefox, squid, thunderbird, and the kernel.  More info.
Debian has updated dovecot.  More info.

Google has updated Chrome for Desktop to correct 38 security vulnerabilities.
More info.

Emerson OpenEnterprise SCADA software contains several vulnerabilities.  Successful exploitation of these vulnerabilities could allow an attacker access to OpenEnterprise configuration services or access passwords for OpenEnterprise user accounts.  Highest CVSSv3 score of 10.0
More info.

NXNSAttack allows malicious parties to use recursive DNS services to attack third party authoritative name servers.
More info. And here.

PowerDNS Recursor has released a fix. More info.
Microsoft is aware, no patch. More info.
Unbound has updated their DNS resolver for the these issues. More info.
Same for Knot Resolver. More info.
ISC BIND has updated.  More info.

TIBCO JasperReports Server contains a vulnerability that allows an unauthenticated attacker to obtain the permissions of a JasperReports Server "superuser" for the affected systems. The attacker can exploit the vulnerability consistently, remotely, and without authenticating. Highest CVSSv3 of 9.8
More info.

Potential remote access security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to access and modify sensitive information on the system. CVSSv3 score of 9.9
More info.

Potential remote code execution security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to gain elevated privileges on the array. CVSSv3 score of 9.9
More info.

Multiple components within the Dell EMC Unity, Dell EMC Unity VSA, and Dell EMC Unity XT Product Families require a security update to address various vulnerabilities.  Dell has rated this Critical.
More info.

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
More info.

SUSE has updated dpdk, python, and others.  More info.
Arch Linux has updated openconnect, powerdns, and dovecot.  More info.
RedHat has updated java, the kernel, and others.  More info.
Debian has updated bind.  More info.
Ubuntu has updated exim and bind.  More info.

Moodle contains two vulnerabilities rated Serious. The first allows RCE, the second allows stored XSS.
More info. And here.

Adobe has published updates for Premier Rush, Audition, Premier Pro, and Character Animator.  Vulnerabilities fixed include OOB memory read leading to information disclosure, privilege escalation, and stack overflow reading to RCE.
More info.

Apple has published updates for watchOS.  Details aren't yet available.
More info.

Multiple vulnerabilities in Apache Solr (lucene) were addressed by IBM InfoSphere Information Server. CVSSv3 score of 9.8
More info.

A CSRF vulnerability was discovered in the web user interface of F-Secure Linux Security. An unauthenticated user can send the CSRF request to the web user interface. A successful attack can lead to the product settings being disabled remotely through the web interface. These include antivirus, the firewall, and the integrity protection settings.
More info.

An error in BIND code which checks the validity of messages containing TSIG resource records can be exploited by an attacker to trigger an assertion failure in tsig.c, resulting in denial of service to clients.
More info.

BIND does not sufficiently limit the number of fetches which may be performed while processing a referral response. A malicious actor who intentionally exploits this lack of limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral, resulting in degraded performance or use as a reflector in a reflection attack with a high amplification factor.
More info.

Debian has updated dpdk.  More info.
Ubuntu has updated the kernel and dpdk.  More info.

Microsoft has revised the Security Updates table of CVE-2020-1108 to include PowerShell Core 6.2 and 7.0 because they are affected by CVE-2020-1108.
More info.

PHP 7 has been updated to fix two security bugs that allow long variables and long file names to cause OOM and possible crash.
More info. And here. And here.

Ewon eCatcher contains a vulnerability that may allow an attacker to eavesdrop the connection with a forged certificate.
More info.

IBM Sterling B2B Integrator has addressed multiple security vulnerabilities in jackson-databind.  CVSSv3 score of 9.8
More info.

A widely used function in the OpenJ9 JVM is vulnerable to buffer overflows. Multiple Java Runtime components use the vulnerable code, so the issue can manifest in a number of different ways.
More info.

A potential XSS vulnerability has been identified in Service Manager. The vulnerability could be exploited to allow remote attackers to inject arbitrary web script or HTML.
More info.

NetApp has published eight new security bulletins covering vulnerabilities in third-party software included in their products.  No patches yet.
More info.

SUSE has updated mailman and others.  More info.
OpenSUSE has updated mailman and others.  More info.
Arch Linux has updated keycloak.  More info.
Oracle Linux has updated the kernel.  More info.
Debian has updated exim and apache-log4j.  More info.
Ubuntu has updated dovecot.  More info.
Mageia has updated ntp, flash, libreswan, and others.  More info.