An authentication-bypass vulnerability exists in OpenBSD's authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd.
More info.

BD integrates CylancePROTECT for certain BD products. An issue within CylancePROTECT was publicly disclosed in July. This vulnerability could allow an attacker to bypass the anti-malware component of the product, which would allow malware to run on the system. BD is currently testing the updates with their products.
More info.

IBM ToolsCenter Dynamic System Analysis (DSA) Preboot is affected by multiple vulnerabilities.
More info.

IBM DataPower Gateway contains a vulnerability in IPMI. If IPMI over LAN Is enabled, a default administrator account is also enabled.
More info.

A malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution.  CVSSv3 of 9.8
More info.

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information sent and received from Fortiguard servers by decrypting these messages.
More info.

NETGEAR has released fixes for a pre-authentication stack overflow security vulnerability on multiple product models.
More info.

SUSE has clamav and others.  More info.
Arch Linux has updated crypto++ and thunderbird.  More info.
RedHat has updated firefox and java.  More info.
Oracle Linux has updated firefox.  More info.
Ubuntu has updated rabbitmq.  More info.
Mageia has updated phpmyadmin, clamav, openssl, and others.  More info.

Netgear has published 55 new bulletins for various products, fixing vulnerabilities that include Stored XSS, DoS, Information Disclosure, Authentication Bypass, Hardcoded Pasword, and Pre-Authentication Buffer Overflow.
More info.

The OpenSSL library has been updated in PAN-OS to resolve a cryptographic vulnerability that under certain situations may allow a remote attacker to decrypt data by observing server responses to different types of errors.
More info.

Several Weidmüller Industrial Ethernet managed switches contain multiple vulnerabilities, including credentials transmitted and stored in plaintext, predictable cookie info allowing admin compromise, and no brute-force protection.
More info.  And here.

Mozilla has published an update for Thunderbird that fixes several High and Moderate vulnerabilities.
More info.

Avaya has published updates to correct defaults settings for the CORS filter which are insecure and enable 'supportsCredentials' for all origins.  Most customers will have changed the defaults, but this is a CVSSv3 of 9.8
More info.

Avaya has also updated the underlying RedHat OS to correct several security vulnerabilities.
More info.

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
More info.

NetApp has published a bulletin outlining vulnerabiltiies in the Linux kernel used in their products.  No fixes yet.
More info.

Oracle Linux has updated the microcode.  More info.
Ubuntu has updated squid and haproxy.  More info.

Johnson Controls has reported on four vulnerabilities impacting the Flexera FlexNet Publisher licensing manager which is installed with and used by the Software House C•CURE 9000 application. Vulnerabilities that could be exploited by remote attackers include DoS and RCE.
More info.

Dell has published a bulletin outlining the TCP SACK vulnerabilities in the EMC Enterprise Hybrid Cloud product. No patches yet, only workarounds.
More info.

Huawei has published 14 new bulletins, covering DoS, OOB read, improper authorization, RCE, and other vulnerabilities in several products.
More info.

Mozilla has patched several High and Moderate vulnerabilities in Firefox and Firefox ESR, some resulting in a potentially exploitable crash.
More info.

OpenSUSE has updated haproxy.  More info.
Arch Linux has updated firefox.  More info.
CentOS has updated the kernel.  More info.
Scientific Linux has updated tcpdump and others.  More info.

Google has published their Monthly Patches for Android.  21 vulnerabilities are addressed, plus Qualcomm vulnerabilities.  Three are rated Critical, 16 are rated High.
More info.

Google has also published the Monthly Patches bulletin for Pixel.  Eight security vulnerabilities, one rated Critical, one rated High, the rest Moderate.
More info.

Hitachi has published updates to correct multiple vulnerabilities in Cosminexus HTTP Server.
More info.

The solar inverter series of Fronius are prone to different application based vulnerabilities. Beside the unencrypted HTTP communication other issues like path traversal and outdated software was identified in the firmware of the devices. A backdoor user was found to be present on the device that changes its password every day and can be predicted when the algorithm is known. The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately.
More info.

RedHat has updated the kernel, python-jinja2, and others.  More info.
Ubuntu has updated the kernel.  More info.

Multiple product vulnerabilities were identified in Moxa’s AWK-3121 Series Industrial AP/Bridge/Client, including Command Injection, XSS, buffer overflow, HTTP default, open wifi, telnet, improper access control, and XSRF.  Product is EOS, no fixes.
More info.

Qualcomm Monthly Patches for December are out.  Three vulnerabilities are rated Critical, seven are High, and one is Medium.  Vulnerabilities include information exposure, buffer overread, buffer overflow, improper access control, DoS, and others.
More info.

An update for Privileged Account Manager 3.6 patches an Intel CPU vulnerability.
More info.

SUSE has updated haproxy and python django.  More info.
OpenSUSE has updated clamav, strongswan, cpio, phpmyadmin, and others.  More info.
Ubuntu has updated sqlite.  More info.
Mageia has updated chromium, glibc, libssh, curl, and others.  More info.

Fortinet has reported on TCP Sack vulnerabilities in the linux OS versions used in several products. Patches for some, workarounds for others.
More info.

SUSE has updated ucode-intel and others.  More info.
Debian has updated libvpx.  More info.
Ubuntu has updated psutil.  More info.

All versions of the Dräger SC Monitoring product line are affected by a DoS vulnerability, a malformed network packet may cause the monitor to reboot, and Plain-text credentials in source code.  This product line is EOS since Dec. 2011.
More info.

Several vulnerabilities in QTS and Photo Station allow remote attackers to modify files or run arbitrary code.
More info.

A stored cross-site scripting (XSS) vulnerability has been reported to affect multiple versions of QTS. If exploited, this vulnerability may allow an attacker to inject and execute scripts on the administrator console.
More info.

Several vulnerabilities in QTS, Video Station and Music Station allow remote attackers to access system files or execute XSS attacks.
More info.

BlackBerry has published the November bulletin for BlackBerry powered by Android.
More info.

The latest update of PHP includes security fixes for heap buffer overflow in exif, an underflow in FPM that can lead to RCE, as well as lots of bug fixes.
More info.

SUSE has updated java.  More info.
Debian has updated haproxy.  More info.
Oracle Linux has updated tcpdump.  More info.
Ubuntu has updated nss.  More info.

An attacker with access to the device communication between the BIG-IP ASM Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow will be able to set up the proxy the same way and intercept the traffic, allowing the attacker to impersonate the BIG-IP ASM Central Policy Builder and send corrupted or incorrect suggestion data to the BIG-IQ/Enterprise Manager/F5 iWorkflow. This may lead to incorrect policy building suggestions or a partial denial-of-service (DoS).
More info.

Under certain conditions, the Traffic Management Microkernel (TMM) may consume excessive resources when processing traffic for a virtual server with the FIX (Financial Information eXchange) profile applied resulting in DoS.
More info.

BIG-IP APM ignores the Restrict to Single Client IP option for Native RDP resources. An unauthorized client machine can launch an RDP session to a back-end resource server in an APM session.
More info.

When the BIG-IP system is configured in HTTP/2 full proxy mode, specifically crafted requests may cause a disruption of service provided by the Traffic Management Microkernel (TMM).
More info.

Undisclosed traffic flow may cause the TMM to restart under some circumstances, allowing a remote attacker to cause a DoS. This issue occurs on multi-blade chassis.
More info.

Resource starvation due to a memory leak may cause the TMM to restart, leading to DoS or failover in a high availability (HA) environment.
More info.

When BIG-IP ASM Bot Detection is configured, a malicious actor may be able to inject invalid DNS responses that will be cached indefinitely, bots that would normally be classified as legitimate may be classified as malicious.
More info.

TP-LINK TL-WR841N routers contain a flaw within the web service that listens on TCP port 80 by default. When parsing the Host request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length static buffer. An attacker can leverage this vulnerability to execute arbitrary code as the admin user.
More info.

Symantec Critical System Protection (CSP) may be susceptible to an authentication bypass vulnerability. CVSSv3 of 9.4
More info.

IBM QRadar Network Packet Capture is vulnerable to several flaws in OpenSSL and Python.
More info.

HP has identified an issue affecting VNC session security within HP Device Manager that could potentially be leveraged to create unauthorized connections.
More info.

NetApp has published three bulletins documenting vulnerabilities in third-party software.  No fixes yet.
More info.

Xerox has updated several FreeFlow Print Server models with the October Oracle CPU.
More info.

Ubuntu has updated thunderbird, ruby, and redmine.  More info.

BIG-IP configurations using Active Directory, LDAP, or Client Certificate LDAP for management authentication with multiple servers are exposed to a vulnerability which allows an authentication bypass. This can result in a complete compromise of the system. This issue only impacts specific engineering hotfixes.  CVSSv3 of 9.8
More info.

F5 BIG-IP and SSL Orchestrator products contain vulnerable versions of Node.js.  The Node.js inspector is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution.
More info.

The RSA, DSA and ED25519 keys were not created during initial generation of the SSH keys on first startup or when restoring factory settings in LANTIME versions. As a result, these keys were replaced with default values which theoretically allow attackers to set up man-in-the-middle attacks,  There are also updates to correct 3rd party software vulnerabilities.
More info.

SUSE has updated mailman, libssh, sqlite, clamav, strongswan, and others.  More info.
RedHat has updated the kernel and python jinja.  More info.

Dell EMC Storage Monitoring and Reporting  contains a Java RMI Deserialization of Untrusted Data vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host.
More info.

Kaspersky Lab has fixed a security issue in Kaspersky Password Manager that could potentially lead remote unauthorized access by 3rd parties to information about address items which are stored in the vault while it is in unlocked state.
More info.

Kaspersky has fixed several security problems in Anti-Virus products family for Windows, including multiple Bypass vulnerabilities, DoS, and Information Disclosure.
More info.

OpenSUSE has updated haproxy, apache perl, java, and others.  More info.
RedHat has updated sdl, chromium, python, and others.  More info.
Oracle Linux has updated php, the kernel, sudo, and others.  More info.
Debian has updated chromium.  More info.
Gentoo Linux has updated firefox, chromium, flash, and others.  More info.
Amazon Linux updated python.  More info.
Amazon Linux 2 has updated the kernel, python, ntp, and rsyslog.  More info.

Flexera has published an update for FlexNet Publisher.  Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.
More info.

A Denial of Service vulnerability related to command handling has been identified in FlexNet Publisher. The message reading function used in lmadmin.exe can, given a certain message, call itself again and then wait for a further message. With a particular flag set in the original message, but no second message received, the function eventually return an unexpected value which leads to an exception being thrown. The end result can be process termination.
More info.

Dell has published an update for RSA NetWitness Logs and Network Security for multiple third party component vulnerabilities.
More info.

Xerox has published three new bulletins that address third-party software updates in several FreeFlow Print Server models.
More info.

A SIP request can be sent to Asterisk that can change a SIP peer’s IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer’s name; authentication details such as passwords do not need to be known.
More info.

If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur.
More info.

Three vulnerabilities are reported to affect all versions of Helpdesk, Music Station, and File Station. An improper access control vulnerability in Helpdesk allows attackers to access the system logs. A command injection vulnerability in Music Station allows attackers to execute commands on the affected device. A command injection vulnerability in File Station allows attackers to execute commands on the affected device.
More info.

NetApp has pubilished five new bulletins for third party software vulnerabilities in their products.
More info.

OpenSUSE has updated chromium and squid.  More info.

Flexera has published an update for FlexNet Publisher.  Because the message reading function calls itself recursively given a certain condition in the received message, an unauthenticated remote attacker can repeatedly send messages of that type to cause a stack exhaustion condition.
More info.

A Denial of Service vulnerability related to command handling has been identified in FlexNet Publisher. The message reading function used in lmadmin.exe can, given a certain message, call itself again and then wait for a further message. With a particular flag set in the original message, but no second message received, the function eventually return an unexpected value which leads to an exception being thrown. The end result can be process termination.
More info.

Dell has published an update for RSA NetWitness Logs and Network Security for multiple third party component vulnerabilities.
More info.

Xerox has published three new bulletins that address third-party software updates in several FreeFlow Print Server models.
More info.

A SIP request can be sent to Asterisk that can change a SIP peer’s IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer’s name; authentication details such as passwords do not need to be known.
More info.

If Asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a crash will occur.
More info.

Three vulnerabilities are reported to affect all versions of Helpdesk, Music Station, and File Station. An improper access control vulnerability in Helpdesk allows attackers to access the system logs. A command injection vulnerability in Music Station allows attackers to execute commands on the affected device. A command injection vulnerability in File Station allows attackers to execute commands on the affected device.
More info.

NetApp has pubilished five new bulletins for third party software vulnerabilities in their products.
More info.

OpenSUSE has updated chromium and squid.  More info.

A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times.
More info.

There is inadequate account lockout in IBM Cloud Pak System formerly known as IBM PureApplication System. IBM Pure Application System uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
More info.

XStream as used by IBM QRadar SIEM is vulnerable to OS command injection.
More info.

ONTAP Select Deploy administration utility is susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account. CVSSv3 of 10.
More info.

Cisco has published 14 new bulletins and updated 2 bulletins.  All the new bulletins are rated Medium, the 2 updated bulletins are rated High.
More info.

There is a use of insufficiently random values vulnerability in Huawei ViewPoint products. An unauthenticated, remote attacker can guess information by a large number of attempts. Successful exploitation may cause information leak.
More info.

On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection. Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.
More info.

SUSE has updated the kernel and python-ecdsa.  More info.
OpenSUSE has updated chromium and others.  More info.
Oracle Linux has updated the kernel, glibc, and openssl.  More info.
Ubuntu has updated bind and mariadb.  More info.

The CODESYS web server is used by the CODESYS WebVisu to display CODESYS visualization screens in a web browser. Specific crafted requests may cause a heap-based buffer overflow, which could crash the web server, lead to a denial-of-service condition or may be utilized for remote code execution.  CVSSv3 of 10.
More info.

Bulletins for vulnerabilities patched in FlexNet Publisher in April are making the rounds.  Note that one of the vulnerabilities is CVSSv3 9.8, RCE, so if you haven't updated, you should.
More info.

A DoS vulnerability using PROFINET DCE-RPC endpoint discovery packets was identified in Moxa’s EDS-G508E, EDS-512E, and EDS-516E Series Ethernet Switches.
More info.

An improper sanitization vulnerability was identified in Moxa’s EDR-810 Series Secure Routers. A specially crafted HTTP POST could possibly trigger arbitrary command injection.
More info.

A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim. The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.
More info.

Use of a hardcoded cryptographic key in the FortiGuard services communication protocol may allow a Man in the middle with knowledge of the key to eavesdrop on and modify information.
More info.

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key.
More info.

Mageia has updated mariadb, the kernel, the microcode, clamav, and others.  More info.

IBM WebSphere Application Server Liberty contains a vulnerability resulting in improper handling of request headers, which can affect IBM Spectrum Protect Operations Center. A remote attacker could exploit this vulnerability to cause the consumption of Memory.
More info.

Two vulnerabilities in curl affect PowerSC. An integer overflow in curl's URL API results in a buffer overflow and a heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution.
More info.

A potential vulnerability has been identified in Operations Agent. The vulnerability could be exploited to perform an XXE attack on Operations Agent.
More info.

Google has released an update for Chrome for Destop that fixes 5 security issues.
More info.

SUSE has updated java and others.  More info.
RedHat has updated the kernel-rt.  More info.

SUSE has updated the microcode, enigmail, and others.  More info.
OpenSUSE has updated the microcode and go.  More info.
Debian has updated mosquitto and thunderbird.  More info.
Ubuntu has updated mysql and python-ecdsa.  More info.
Amazon Linux and Amazon Linux 2 has updated the microocde.  More info.

Omron CX-Supervisor ships with Teamviewer. This version of Teamviewer is vulnerable to an obsolete function vulnerability requiring user interaction to exploit. Successful exploitation of this vulnerability could result in information disclosure, total compromise of the system, and system unavailability.
More info.

McAfee has patched OpenSSL SSL 3.0 in their products.  CVEs from 2014...
More info.

When the BIG-IP APM system processes certain requests, the apd/apmd process may consume excessive resources, resulting in DoS.
More info.

On BIG-IP systems the default management port firewall rules are not reliably reinstalled after first boot. As a result, the management port may be exposed to traffic on unauthorized ports.
More info.

The BIG-IP / BIG-IQ / Enterprise Manager / F5 iWorkflow Configuration utility is vulnerable to Anti DNS Pinning (DNS Rebinding) attack.
More info.

iControl REST logs a plaintext password when the syntax of a cURL request is incorrect. Disclosure of the BIG-IP system's device password can lead to other exploits.
More info.

Undisclosed HTTP requests may consume excessive amounts of system resources, which may cause a denial-of-service (DoS). The affected BIG-IP system enters into a loop with the Traffic Management Microkernel (TMM) process handling the restarted request. The BIG-IP system fails over in a high availability (HA) environment, which results in an interruption in traffic processing.
More info.

BIG-IP virtual servers with TLS 1.3 enabled may experience a denial-of-service (DoS) due to undisclosed incoming messages.
More info.

Multiple integer overflow and out of bounds read/write vulnerabilities in the SSL VPN web-mode SSH client may allow an unauthenticated attacker to cause the SSL VPN user session to break (Denial of service) and possibly to run arbitrary code via specially crafted packets sent from a malicious SSH server.
More info.

Some Huawei home routers have an input validation vulnerability and an improper authorization vulnerability. An attacker can obtain files in the device and upload files to some directories, and execute uploaded malicious files and escalate privilege.
More info.

There is an improper access control vulnerability in Huawei Share. The software does not properly restrict access to certain file from certain application. An attacker tricks the user into installing a malicious application then establishing a connect to the attacker through Huawei Share, successful exploit could cause information disclosure.
More info.

SUSE has updated squid, bash, and the kernel.  More info.
CentOS has updated the kernel, microcode, thunderbird, and others.  More info.
Oracle Linux has updated the kernel.  More info.
Debian has updated postgresql and ghostscript.  More info.
Ubuntu has updated postgresql and ghostscript.  More info.
Scientific Linux has updated the kernel and ghostscript.  More info.
Amazon Linux 2 has updated openssl and others.  More info.

Dell has pubished a security bulletin rated Critical.  Oracle JRE within Dell EMC Storage Monitoring and Reporting requires a security update to address various vulnerabilities.
More info.

Xerox has published updates that apply the October Microsoft updates and Java and Firefox updates to the FreeFlow Print Server.
More info.

An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API.
More info.

A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Assistant.
More info.

SUSE has updated the kernel and microcode.  More info.
OpenSUSE has updated the kernel, microcode, and others.  More info.
Arch Linux has updated the microcode.  More info.
RedHat has updated the kernel.  More info.
CentOS has updated the kernel, microcode, thunderbird, and others.  More info.
Oracle Linux has updated the kernel.  More info.
Debian has updated the kernel, microcode, and others.  More info.
Scientific Linux has updated the kernel.  More info.

Microsoft Monthly Patches are out.  There is a total of 74 vulnerabilities, including two advisories. 14 of the vulnerabilities are rated critical. Two vulnerabilities had been disclosed prior to today, and one critical scripting engine vulnerability that may lead to RCE has already been exploited in the wild.
More info.  And here.  And here.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.  This is actively being exploited.
More info.

Adobe Monthly Patches are out.  Adobe has released security updates to address vulnerabilities in Animate CC 2019, Illustrator CC, Media Encoder, and Bridge CC. An attacker could exploit some of these vulnerabilities to take control of an affected system.
More info.

Intel has published 18 bulletins, two rated Critical and eight rated High.
More info.

Potential security vulnerabilities in Intel Baseboard Management Controller (BMC) firmware may allow escalation of privilege, denial of service and/or information disclosure.
More info.

Potential security vulnerabilities in Intel CSME, Intel SPS, Intel TXE, Intel AMT, Intel PTT, and Intel DAL may allow escalation of privilege, denial of service or information disclosure.
More info.

Lenovo has published updates for the Intel vulnerabilities.  More info.
Supermicro has published updates.  More info.
HP has published updates.  More info.
Dell has published updates.  More info.
FreeBSD has updated for two Intel vulnerabilities.  More info.
Citrix has updated.  More info.
Xen has updated.  More info.
NetApp has published eight bulletins.  More info.

Philips has become aware of a potential issue with inadequate encryption strength associated with the Philips IntelliBridge EC40 and EC80 Hub. Successful exploitation of this issue may allow an unauthorized user access to the hub, and may allow access to execute software, modify system configuration, or view/update files, including unidentifiable patient data.
More info.

An ePolicy Orchestrator update fixes multiple Java vulnerabilities that can allow Information Exposure, DoS, and Information Modification.
More info.

Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
More info.

Traffix SDC is vulnerable to issues in libpcap.
More info.

SUSE has updated the kernel, python, dhcp, and others.  More info.
Arch Linux has updated the kernel and others.  More info.
RedHat has updated the kernel.  More info.
Oracle Linux has updated the kernel.  More info.
Ubuntu has updated the kernel and others.  More info.

SAP Monthly Patches are out.  There are 12 new security notes and three updated ones.  All of the updated notes are rated Hot News, one new bulletin is rated Hot News, one is High, the rest are Medium.  Three bulletins address missing authorization vulnerabilities.
More info.

Siemens Monthly Patches are out.  There are three new bulletins, and five updated bulletins.  Several of the updates include patches to previously reported vulnerabilities.
More info.

The latest update for Desigo PXC devices fixes a vulnerability that could allow unauthenticated remote users to cause a denial of service condition on the PX Web interface (HTTP, port tcp/80) of a device.
More info.

Schneider Electric has published Monthly Patches, with two new bulletins and six updated bulletins.  The two new bulletins address XSS in Andover Continuum and Information Exposure in Modicon Controllers.  New bulletins are not yet available on the site.
More info.

F5 has identified that their products are vulnerable to recent issues patched in tcpdump.  No fixes yet.
More info.

Multiple vulnerabilities have been published for squid, including HTTP response splitting, DoS, and RCE.
More info.

Thales/Gemalto Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK License Manager.
More info.

IBM QRadar SIEM is vulnerable to multiple kernel and Eclipse Jetty vulnerabities.
More info.  And here.

SUSE had updated libssh, apache, and others.  More info.
OpenSUSE has updated php, firefox, thunderbird, python, and others.  More info.
Arch Linux has updated the kernel and squid.  More info.
Debian has updated chromium.  More info.
Ubuntu has updated bash. More info.

Medtronic Valleylab FT10 and FX8 products use multiple sets of hard-coded credentials, reversible one-way hash, and a vulnerable version of the rssh utility.  Patches for FT10 are available.
More info.  And here.

Mitsubishi Electric MELSEC-Q Series and MELSEC-L Series CPU Modules contain a security vulnerability that would allow a remote attacker to cause a DoS through the FTP service.
More info.

Google has released an update for Chrome for Desktop containing 4 security fixes.
More info.

Honeywell MAXPRO VMS contains two vulnerabilities that can allow Unauthenticated RCE via unsafe binary deserialization and Unauthenticated Remote arbitrary SQL command execution.
More info.

Hitachi has published security bulletins for Cosminexus HTTP Server, Hitachi Command Suite, and Hitachi Infrastructure Analytics Advisor.
More info.

SUSE had updated thunderbird, gdb, and others.  More info.
Gentoo Linux has updated openssl, openssh, and others.  More info.
Mageia has updated chromium, thunderbird, firefox, python, proftd, and others.  More info.
Scientific Linux has updated thunderbird.  More info.

Cisco has published 16 bulletins for their products, 8 rated High, 6 Medium, and 2 are Informational.
More info.

Multiple vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system.
More info.

Multiple vulnerabilities in the video service of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
More info.

Cisco firmware for Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers and RV016, RV042, RV042G, and RV082 Routers are affected by Static certificates and keys, Hardcoded password hashes, and Multiple vulnerabilities in third-party software components.
More info.  And here.

Moxa has reported vulnerabilities in EDS-405A Series Ethernet Switches that could allow an attacker to cause a DoS.
More info.

NetApp has published five bulletins documenting third-party software vulnerabilities in their products. No patches.
More info.

SUSE had updated libssh and php.  More info.
OpenSUSE has updated chromium.  More info.
Arch Linux has updated squid and the kernel.  More info.
RedHat has updated chromium, thunderbird, sudo, and others.  More info.
Scientific Linux has updated sudo.  More info.
Amazon Linux has updated subversion and docker.  More info.
Amazon Linux 2 has updated dovecot, samba, and others.  More info.

Omron CX-Supervisor uses a vulnerable version of TeamViewer.  Successful exploitation could result in information disclosure, total compromise of the system, and system unavailability.
More info.

Omron has released an updated version of Network Configurator for DeviceNet Safety to address a previously reported vulnerability.
More info.

SUSE had updated samba, libssh, and others.  More info.
OpenSUSE has updated php, python, the kernel, and others.  More info.
RedHat has updated php, python, and others.  More info.
Debian has updated proftpd.  More info.
Ubuntu has updated nokogiri, haproxy, and others.  More info.

Qualcomm has published their monthly patches, with 13 fixed vulnerabilities.  Five are marked Critical, six are High, the other two are Medium.  Six have an attack vector of Remote.
More info.

Google has published their Monthly Patches for Android.  There are 27 vulnerability fixes plus the Qualcomm patches.  Three are rated Critical, four allow RCE.
More info.

They have also released the Monthly Patches for Pixel, with 19 fixed vulnerabilities, with one allowing RCE.
More info.

Brocade has published seven new bulletins for their SANnav product, covering MItM, weak encryption, hardcoded passwords and more.  Highest CVSSv3 score is 7.5.
More info.

All F5 products are vulnerable to a DoS vulnerability in tcpdump.  When tcpdump is active and configured to parse FRF.16 traffic, certain traffic patterns may trigger a crash or other unexpected behavior of the tcpdump process.
More info.

Tenable has published a standalone PHP patch for Tenable.sc
More info.

SUSE had updated samba and python-ecdsa.  More info.
Arch Linux has updated electron and samba. More info.
Debian has updated webkit2gtk.  More info.

ABB is aware of public reports of a vulnerability in Power Generation Information Manager and Plant Connect. An attacker who exploits this vulnerability can bypass authentication and extract the user credentials used within the application. CVSSv3 score of 9.8.
Note this statement: "In some cases, end users have used the same usernames and passwords for Windows login. In such instances, if an unauthorized user extracts credentials for PGIM and Plant Connect, then they would also be in possession of Windows credentials, potentially compromising the security of the Domain."

An updated product, Symphony Plus Historian, is available that resolves the publicly reported vulnerabilities.
More info.

Multiple security vulnerabilities have been fixed in Xerox AltaLink products.
More info.

The QSnatch malware is reportedly being used to target QNAP NAS devices. QNAP has added rules to remove the QSnatch malware and released Malware Remover 3.5.4.0 and 4.5.4.0.
More info.

OpenSUSE had updated chromium.  More info.
Arch Linux has updated chromium, ghostscript, python, glibc, and others. More info.
CentOS has updated php, firefox, nss, and others.  More info.
Scientific Linux has updated firefox and php.  More info.
Amazon Linux and Amazon Linux 2 have updated php.  More info.