Phoenix Contact Emalytics Controllers ILC 2050 BI contain a vulnerability that allows an unauthorized attacker to change the device configuration and start or stop services. A link on the website of the devices allows unauthorized read and write access to the configuration of the devices. CVSSv3 score of 9.4
More info.

CA is alerting customers to three vulnerabilities in CA Unified Infrastructure Management (Nimsoft / UIM). Multiple vulnerabilities exist that can allow an unauthenticated remote attacker to execute arbitrary code or commands, read from or write to systems, or conduct denial of service attacks.
More info.

Xerox has published security bulletins addressing vulnerabilities in third-party software(Solaris, Java, and Firefox) included in the FreeFlow Print Server products.
More info.

An Insufficient Verification of Data Authenticity vulnerability in FortiManager may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack.
More info.

FortiGate models which do not contain and embedded TRNG may suffer from insufficient entropy ("seed") in the CTR DRBG random data software generator, in their default configuration. Insufficient randomness of the software source used to seed FortiOS' random number generator enables theoretical and experimental attacks.
More info.

Huawei has published or updated eight security bulletins, addressing DoS, OOB read, and other vulnerabilities in their products.
More info.

RedHat has updated sudo and others.  More info.
Oracle Linux has updated sudo and the kernel.  More info.
Debian has updated postgresql. More info.
Ubuntu has updated firefox.  More info.

Insufficient Cross-Site Request Forgery (XSRF) protection on Expedition Migration Tool allows remote unauthenticated attackers to hijack the authentication of administrators and to perform actions on the Expedition Migration Tool.
More info.

IBM Tivoli Monitoring Service could allow an unauthorized user to access and modify operation aspects of the ITM monitoring server possibly leading to an effective denial of service or disabling of the monitoring server.
More info.

Multiple vulnerabilities exist in the eSOMS web interface that could potentially affect the confidentiality, integrity, or availability of information. In the most severe case, an attacker who successfully exploited these vulnerabilities could take over a user’s browser session, discover session based information, or affect the confidentiality of sensitive information within the application.
More info.

Multiple product vulnerabilities were identified in Moxa’s OnCell G3100-HSPA Series and OnCell G3470A-LTE Series Cellular Gateway that could lead to DoS, RCE, CSRF, brute force authentication attacks, information exposure, and improper authentication.  Note all the CVEs are from 2018.
More info.

Arch Linux has update thunderbird, systemd, dovecot, and one more.  More info.
Debian has updated openjdk and firefox. More info.
Mageia has updated flash and others.  More info.
Amazon Linux has updated python.  More info.
Amazon Linux 2 has updated thunderbird. More info.

Microsoft Monthly Patches are out.  There are patches for 100 vulnerabilities total, 12 rated Critical, the highest CVSSv3 score of 8.8. Five of them have been previously disclosed, and the previously disclosed Scripting Engine vulnerability is actively being exploited.  There are several Critical patched vulnerabilities that allow RCE.
More info.  And here.

Adobe has published February monthly updates Acrobat and Reader, Flash, Experience Manager, Digital Editions, and Framemaker.  These include Critical vulnerabilities in most of these products.
More info.

Schneider Electric has released their Monthly Security Advisories, consisting of one new advisory and two updated advisories.  The updated advisories include fixes for previously disclosed Urgent/11 vulnerabilities, and notification of exploits in the wild for U.Motion Builder, on EOL and unsupported product.
More info.

Multiple vulnerabilities have been patched in Mozilla Firefox and Firefox ESR, the most severe of which could allow for arbitrary code execution.
More info.  And here.

Mozilla has also patched Thunderbird for several vulnerabilities rated Moderate.
More info.

Synergy Systems & Solutions HUSKY RTU has been patched to correct two vulnerabilities. The affected product does not require adequate authentication, which may allow an attacker to read sensitive information or execute arbitrary code, as well as specially crafted malicious packets could cause a DoS. These vulnerabilities have CVSSv3 scores of 9.8 and 7.5.
More info.

IBM ServeRAID Manager exposes a Java RMI that allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.  This is unsupported software, and no patches are expected.
More info.

An information disclosure vulnerability is present in Aruba Intelligent Edge Switches which allows an attacker to retrieve sensitive system information. This attack can be carried out without user authentication under very specific conditions.
More info.

OpenSUSE has updated nginx, systemd, chromium, and others.  More info.
Arch Linux has update firefox.  More info.
Oracle Linux has updated the kernel. More info.

SAP Monthly Patches are out.  There are 13 new security notes, and two updated notes.  Three new notes are rated High, the rest Medium.  One of the updated notes is rated Hot News.  There is one note addressing Missing Authorization Check, three addressing DoS. 
More info.

Siemens has released their Monthly Security Advisories, consisting of 12 new advisories and eight updated advisories.  The highest rated bulletins address vulnerabilities in Intel CPUs and proFTPd (leading to RCE).  The rest mostly address DoS and other CPU related vulnerabilities.
More info.

Oracle Linux has updated the kernel. More info.
RedHat has updated java and others.  More info.

Siemens has updated 58 bulletins.  A sampling shows these updates are to explicitly include SIPLUS products in the bulletins, as outlined in the notice on the Siemens security website.
More info.

Note that tomorrow is Siemens Monthly Patch day.

IBM has published multiple bulletins addressing vulnerabilities in third-party software included in Aspera Web products.
More info.

NetApp has published four new bulletins addressing vulnerabilities in third-party software included in their products.  No patches yet.
More info.

There is an information leak vulnerability in some Huawei products. An unauthenticated, remote attacker can make a large number of attempts to guess information.
More info.

OpenSUSE has updated chromium. More info.
Arch Linux has updated ksh.  More info.
Mageia has updated sudo, spamassassin, chromium, openslp, and others.  More info.
Amazon Linux and Amazon Linux 2 has updated the kernel, spamassassin, php, and others.  More info.  And here.

Multiple vulnerabilities have been corrected in LANTIME Firmware. Most require an authenticated user, but several vulnerabilities allow information disclosure, and one allowed stored XSS from a remote attacker.
More info.

Dell has updated the SUSE Linux and Oracle database components in RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance, and SUSE Linux in RSA IMG.
More info.  And here.

SUSE has updated nginx, systemd, php, and others. More info.
Arch Linux has updated chromium.  More info.
Ubuntu has updated mariadb and others.  More info.
Scientific Linux has updated the kernel.  More info.

Cisco has published seven new bulletins, five rated High, two rated Medium.  Four address Cisco Discovery Protocol vulnerabilities, requiring adjacent access.
More info.

A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device by sending a crafted email file.
More info.

Xerox has updated third-party software (Oracle, Microsoft, Java, and Firefox) in their FreeFlow Print Servers.
More info. And here.

A remote attacker may be able to perform a denial-of-service (DoS) attack on an AWS-hosted BIG-IP Virtual Edition (VE) system by causing the TMM process to restart.
More info.

The Traffic Management Microkernel (TMM) of BIG-IP systems may produce a core file when using the connector profile and a specific sequence of connections are received, resulting in a DoS.
More info.

SUSE has updated systemd and xen. More info.
Arch Linux has updated sudo.  More info.
Oracle Linux has updated the kernel and others.  More info.
CentOS has udpated git, the kernel, spamassassin, and others.  More info.
Ubuntu has updated mbedtls, sudo, opensmtpd, systemd, and others.  More info.

Google has published an update for Chrome for Desktop that contains 56 security fixes.
More info.

C-More Touch Panels insufficiently protect credentials, making it possible to unmask credentials and other sensitive information on “unprotected” project files, which may allow an attacker to remotely access the system and manipulate system configurations. CVSSv3 base score of 10.
More info.

Attackers are using a critical, previously disclosed command injection flaw in Nortek's Linear eMerge E3 Series access-controller family to launch DDoS attacks.  The vulnerabilities allow unauthenticated attackers to gain complete control of the system.  The original bulletin was in May 2019.
More info. And here.

Eaton has published a bulletin addressing vulnerabilities that could lead to RCE in the SMP Gateway SSL/TLS component of Eaton's SMP Gateway automation platform.  The listed CVEs are from 2017.
More info.

RedHat has updated ksh, the kernel, and others.  More info.
Ubuntu has updated spamassassin.  More info.

Qualcomm has published their Monthly Bulletin.  There are four vulnerabilities in proprietary software, all rated High, and nine vulnerabilities in open source software, six rated High and three rated Medium.
More info.

Android Monthly Patches are out.  There are 15 vulnerabilities, plus the Qualcomm patches.  Two vulnerabilities are rated Critical, 13 are rated High.  One Critical vulnerability allows Remote Code Execution, the second allows Information Disclosure.
More info.

The Pixel Monthly Bulletin includes the Qualcomm vulnerabilities.
More info.

Squid has published three new bulletins addressing vulnerabilities including DoS, security bypass, RCE, and information disclosure.
More info.

PPP has addressed a vulnerability which allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to a boundary error in pppd. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
More info.

An Uncontrolled Resource Consumption vulnerability in multiple products may allow an attacker to cause web service portal denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly.
More info.

NetApp has published three bulletins for vulnerabilities in third-party software in their products.  No patches yet.
More info.

SUSE has updated python and crowbar.  More info.
OpenSUSE has updated mailman.  More info.
RedHat has updated php, the kernel, and others.  More info.
CentOS has updated git.  More info.
Arch Linux has updated python-django.  More info.
Oracle Linux has updated git.  More info.
Ubuntu has updated django and sudo.  More info.
Mageia has updated the kernel and openjpeg2.  More info.

Johnson Controls has learned of vulnerabilities impacting ElasticSearch/Kibana, a third party software component used by Metasys Server software. An attacker could send a request that  leads remote code execution with the system level permissions granted to the Kibana process.
More info.

Multiple components within RSA NetWitness Platform require a security update to address various vulnerabilities.
More info.

RedHat has updated git.  More info.
Debian has updated qemu, spamassassin, sudo, and others.  More info.
Scientific Linux has updated git.  More info.