A patch for an authentication token vulnerability with Privileged Account Manager endpoints has been published for NetIQ.
(Micro Focus published a bulletin about this in May).
More info.

PuTTY has implemented fixes for two separate vulnerabilities affecting the obsolete SSH-1 protocol, both available before host key checking, and a vulnerability in all the SSH client tools (PuTTY, Plink, PSFTP and PSCP) if a malicious program can impersonate Pageant.
More info.

Exim has published notice of a bulletin to be released 25 July.  A local or remote attacker can execute programs with root privileges - if you've an unusual configuration.   They consider the risk low as the configuration needed to exploit is not the default.
More info.

OpenSUSE has updated firefox, samba, python, the kernel, php, postgresql, zeromq, neovim, and others.  More info.
RedHat has updated java.  More info.
Debian has updated the kernel.  More info.
Mageia has updated firefox, thunderbird, libreswan, and others.  More info.

Palo Alto Networks is aware of the reported remote code execution (RCE) vulnerability in its GlobalProtect portal and GlobalProtect Gateway interface products. The issue is already addressed in prior maintenance releases.  If you haven't updated, do it now.
More info.

Multiple vulnerabilities have been found in Hitachi Infrastructure Analytics Advisor and Hitachi Compute Systems Manager.
More info.

NetApp has published five new bulletins regarding vulnerabilities introduced into their products by third-party software.  There are updates for three out of the five.
More info.

Foxit has released Foxit PhantomPDF 8.3.11, which addresses at least 13 security vulnerabilities, including multiple DoS and RCE vulnerabilities.
More info.

SUSE has updated the kernel, libreoffice, glibc, and tomcat.  More info.
OpenSUSE has updated tomcat, the kernel, and others.  More info.
Oracle Linux has updated vim.  More info.

Cisco has published 8 new bulletins, 1 rated Critical, 2 rated High, the rest Medium.
More info.

A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system. The vulnerability is due to insufficient validation of HTTP requests. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on the affected system.
More info.

A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account with static credentials in the underlying Linux operating system.
More info.

The latest version of LANTIME firmware includes an OpenSSH update and security patches to fix the TCP-SACK vulnerability.
More info.

There is an improper authentication vulnerability on PC Manager. The certain driver interface of the software does not perform a validation of user-mode data properly, successful exploit could result in malicious code execution.
More info.

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
More info.

SUSE has updated firefox, the kernel, and tomcat.
More info.

CentOS has updated thunderbird and vim.  More info.
Ubuntu has updated thunderbrid, libreoffice, and squid.  More info.

LenovoEMC is a 2013 rebrand of Iomega products initially purchased by EMC in 2008.  A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.  Most are EOL, but given the impact, firmware updates have been published. 
More info.  And here.

Xerox has two bulletins out for their products.  One covers a CBC MitM attack with recommendations to disable CBC ciphers, the other addresses a libTiff vulnerability with an upgrade.
More info.

Improper Neutralization of Input During Web Page Generation in FortiNAC admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
More info.

By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning.
More info.

LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection.
More info.

SUSE has updated the kernel.
More info.

Arch Linux has published updates for firefox, squid, and chromium.  More info.
RedHat has updated thunderbird, vim, and others.  More info.
Debian has updated libreoffice.  More info.

Oracle Quarterly Patches are out.  There are 319 security fixes, 199 remotely exploitable without authentication.  Patches cover the Database, Berkeley DB, Communications, Construction and Engineering, E-Business, Enterprise Manager, Financial Services, Food and Beverage, Fusion Middleware, Hospitality, Hyperion, Insurance, Java, GraalVM, JD Edwards, MySQL, PeopleSoft, Retail, Siebel CRM, Sun Systems, Supply Chain, Support Tools, Utilities, and Virtualization.
More info.

Google has released a security update for Chrome, that fixes 2 security vulnerabilities, rated High and Medium.
More info.

ABB is aware of a vulnerability in the reporting mechanism for both CCLAS and Ellipse. When a report is generated it is stored on disk,and a URL is created to access the report through the UI. The URL request does not go through proper checks to ensure the user performing the request is an authenticated user. Anyone with access to the URL is able to download the report.
More info.

SUSE has updated the kernel and others.
More info.

RedHat has updated thunderbird and cyrus-imapd.  More info.
Oracle Linux has updated thunderbird.  More info.
Ubuntu has updated squid, bash, and others.  More info.

16 July is Oracle's Quarterly Patch day.  The Pre-Release announcement is available for your patch planning purposes.
More info.

Traffix SDC is vulnerable to a kernel race condition in sas_expander.c.  An attacker can exploit this issue to cause denial of service (DoS) and run arbitrary code.
More info.

NetApp products are vulnerable to an issue in Highcharts.
More info.

Squid has published six new security bulletins, addressing RCE, DoS, and XSS vulnerabilities.
More info.

SUSE has updated the kernel, python, tomcat, php, and others.
More info.

CentOS has updated firefox.  More info.
Debian has updated thunderbird.  More info.
Ubuntu has updated firefox.  More info.

AVEVA Vijeo Citect and Citect SCADA Floating License Manager contains vulnerabilities that could allow an attacker to deny the acquisition of a valid license for legal use of the product, resulting in DoS or possibly RCE.
More info.

Delta Electronics reports that CNCSoft ScreenEditor contains multiple heap-based buffer overflow vulnerabilities that may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code.
More info.

Multiple vulnerabilities have been identified in the management console of the Citrix/NetScaler SD-WAN Centerand on the Citrix/NetScaler SD-WAN Appliance. Collectively, these vulnerabilities could result in an unauthenticated attacker executing commands as root against the SD-WAN Center management console, or potentially be used to gain root privileges on the SD-WAN appliance.
More info.

IBM has patched FileNet Content Manager to correct a publicly disclosed vulnerability in Java.
More info.

IBM has patched Oracle Outside In Technology used by IBM FileNet Content Manager to correct a publicly disclosed vulnerability in Oracle Fusion Middleware.
More info.

IBM QRadar SIEM is vulnerable to a publicly disclosed DoS vulnerability in Spring Framework.
More info.

A vulnerability from 2013 exists in Cosminexus Component Container.
More info.

Critical vulnerabilities have been fixed in Thunderbird that are risks in browser or browser-like contexts.
More info.

SUSE has updated the kernel and glib2.
More info.

RedHat has updated firefox.  More info.
Oracle Linux has updated firefox.  More info.
Debian has updated firefox and others.  More info.

Juniper Quarterly Patches are out.  Eleven bulletins, two rated Critical, five High, the rest Medium.  The bulletins cover a variety of Juniper products, with CVSS ratings from 5.8 to 9.8.
More info.

The srxpfe process may crash on SRX Series services gateways when the UTM module processes a specific fragmented HTTP packet. The packet is misinterpreted as a regular TCP packet which causes the processor to crash.
More info.

Multiple vulnerabilities exist in the Embedthis Appweb server, used by J-Web, related to the way the server mishandles some HTTP headers and request fields. These issues may result in a Denial of Service (DoS) for the J-Web graphical user interface.
More info.

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly.
More info.

A vulnerability was discovered in the web user interface of the F-Secure Internet Gatekeeper product. An unauthenticated user can cause a heap overflow by issuing a malformed HTTP request to the web user interface. A successful attack can lead to remote code execution on the F-Secure Internet Gatekeeper server.
More info.

The eCh0raix ransomware is reportedly being used to target QNAP NAS devices. Devices using weak passwords and outdated QTS firmware may get infected.  QNAP is working on a process to remove the malware.
More info.

Kaspersky has fixed a security issue in its products that could potentially compromise user privacy by using unique product id which was accessible to third parties. This issue was classified as User Data disclosure. The attacker has to prepare and deploy a malicious script on the web servers from where he will track the user.
More info.

SUSE has updated sqlite and others.
More info.

Oracle Linux has updated the kernel and others.  More info.

Multiple vulnerabilities have been discovered in Mozilla Firefox and Firefox ESR, the most severe of which could allow for arbitrary code execution.
More info.  And here.

GE Aestiva and Aespire Anesthesia contain an Improper Authentication vulnerability where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could then allow an attacker to remotely modify device configuration and silence alarms.
Very round about, GE says it's not a risk to patients.
More info.  And here.

Emerson DeltaV Distributed Control System contain a vulnerability where hardcoded credentials are not modified at install. The Smart Switch Command Center does not change the DeltaV Smart Switch management account password upon commissioning as expected, leaving the default password in effect indefinitely.
More info.

Rockwell Automation reports that a remote, unauthenticated threat actor with access to an affected PanelView 5510 Graphic Display, upon successful exploit, may boot-up the terminal and gain root-level access to the device’s file system.
More info.  And here.

GnuPG has published a maintenance release to mitigate the effects of the denial-of-service attacks on the keyserver network.
More info.

NetApp has published two bulletins covering third-party software vulnerabilities in their product.
More info.

SUSE has updated postgresql and others.
More info.

RedHat has updated bind and others.  More info.
Mageia has updated irssi, postgresql, and the microcode.  More info.

Microsoft Monthly Patches are out.  There are 78 vulnerabilities, 6 publicly disclosed, 15 rated Critical, and 2 exploited.  The two exploited are privilege escalation issues.  This month's update covers vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft Edge, Microsoft Office and Microsoft Office Services and Web Apps, Azure DevOps, Open Source Software, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio, and Microsoft Exchange Server.
More info.  And here.  And here.

Adobe Monthly Patches are out.  There are updates for DreamWeaver, Experience Manager, and Bridge CC.
More info.  And here.

SAP Monthly Patches are out.  There are 11 bulletins, one rated Hot News, one rated High, the rest rated Medium. 
More info.

The Hot News vulnerability is OS Command Injection vulnerability in SAP Diagnostics Agent.
More info.

Siemens Monthly Patches are out.  There are 14 bulletins, eight of which are updates.
More info.

The latest update for SIMATIC RF6XXR fixes multiple vulnerabilities related to outdated TLS versions that are still supported by the product.
More info.

The SIPROTEC 5 relays and their corresponding engineering software DIGSI 5 are affected by two security vulnerabilities which could allow an attacker to upload or download files to the device or to conduct a Denial-of-Service attack over the network.
More info.

Schneider Electric Monthly Patches are out.  There are six bulletins, two of which are updates.
More info.

Schneider Electric is aware of a vulnerability in the Zelio Soft 2 product which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
More info.

Schneider Electric is aware of a vulnerability in the Interactive Graphical SCADA System (IGSS) product. Out-of-bounds Write vulnerability exists which could cause a software crash when data in the mdb database is manipulated.
More info.

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission.
More info.

HPE has identified a vulnerability in HPE 3PAR Service Processor (SP) that can allow a remote information disclosure vulnerability which can allow for the disruption of the confidentiality, integrity and availability of the Service Processor and any managed 3PAR arrays.  CVSS 3.0 score of 10.0
More info.

Multiple components within Dell EMC Data Protection Central require a security update to address various vulnerabilities.
More info.

SUSE has updated zeromq.
More info.

Ubuntu has updated zeromq and glib.  More info.
Debian has updated zeromq.  More info.

Security vulnerabilities in HPE UIoT allow unauthorized remote access and access to sensitive data. 
Note that the CVSS score says PR:L, but it doesn't sound that way, so we're reporting.
More info.

NetIQ Access Manager contains a fix for an Apache vulnerability in Access Gateway.
More info.  And here.

Kaspersky has fixed a security issue found in Kaspersky Endpoint Security that could potentially allow third-parties to locally execute arbitrary code with user permissions and without privilege elevation. This issue was classified as DLL hijacking bug.
More info.

A remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library.
More info.

SUSE has updated bash and the kernel.
More info.

Arch Linux updated python-django.  More info.
RedHat has updated python and firefox.  More info.
Oracle Linux has updated the kernel.  More info.
Debian has updated python-django.  More info.