Apple has published iOS 13, Safari 13, and watchOS 6 on the security bulletins page, but no details are available at the moment.
More info.

Xerox has published updates for the B1022/B1025 product lines that fixes the VxWorks Urgent/11 vulnerabilities.
More info.

F5 BIG-IP ASM may expose sensitive information and allow the system configuration to be modified when using non-default settings. The vulnerability is only present in certain rare configurations on multi-bladed systems (VIPRION) with BIG-IP ASM provisioned. A malicious actor may be able to connect to the affected interface to extract and/or modify sensitive information on the system.
More info.

Multiple vulnerabilities have been reported to affect versions of QTS and Photo Station. If exploited, these vulnerabilities may allow an attacker to access or modify paths and files used in system operations, or execute arbitrary code on the system and gain unauthorized access to data.
More info.

A reported buffer overflow vulnerability may affect the noip2 utility found in QNAP NAS devices running QTS. If exploited, the vulnerability could allow attackers to run arbitrary code on the NAS.
More info.

NetApp has published five security bulletins addressing vulnerabilities in third-party software included in their products.
More info.

SUSE has updated python pieces and openssl.  More info.
RedHat has updated the kernel and dovecot.  More info.
Oracle Linux has updated nginx, thunderbird, and patch.  More info.
Debian has updated php and others.  More info.

The Stable channel has been updated for Windows, Mac, and Linux. This update includes 4 security fixes, one rated Critical and three rated High.
More info.

A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack on an affected device.
More info.

A vulnerability in the statistics collection service of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to inject arbitrary values on an affected device.
More info.

WAGO Series PFC100/PFC200 contain an Information Disclosure vulnerability that allows a remote attacker to check paths and file names that are used in filesystem operations.
More info.

Multiple components within Dell EMC Data Protection Central require a security update to address various vulnerabilities.  Dell rates this bulletin Critical.
More info.

There is an improper authentication vulnerability in some Huawei CloudEngine products. Due to the improper implementation of authentication, an attacker could exploit this vulnerability by connecting to the affected products and run a series of commands.
More info.

A SAML AuthnRequest with certain content, combined with non-default settings or SAML metadata explicitly resulting in a response including a "persistent" NameID, can bypass the intended controls and disclose a pairwise value meant for a different relying party.
More info.

SUSE has updated python, openssl, and libreoffice.  More info.
OpenSUSE has updated chromium.  More info.
CentOS has updated httpd, firefox, and others.  More info.
Ubuntu has updated tomcat and others.  More info.
Amazon Linux has updated the kernel, php, and others.  More info.

Honeywell has published three new bulletins for their security cameras, covering DoS, Replay Attack, and Unauthenticated Access to Audio vulnerabilities.
More info.

Advantech has published a patch that fixes a previously reported unauthenticated remote stack overflow vulnerability as well as code injection, RCE, and improper authorization vulnerabilities.  CVSSv3 is 9.8.
More info.

Several security vulnerabilities have been discovered in the Dräger Infinity Acute Care System and the Standalone Infinity M540 patient monitors which may cause the device to reboot and/or lose functionality. Information disclosure, DDoS, and device setting modifications are possible.
More info.

TIBCO Enterprise Runtime for R Server exposes a RCE vulnerability. This vulnerability allows an attacker to gain full control of the operating system account hosting the affected component. In addition to the information flowing through the system, the exposed information might include secrets necessary to issue trusted requests to other TIBCO Spotfire servers. CVSSv3 of 10
More info.

TIBCO Enterprise Runtime for R Server Running On Linux With Containerized TERR Service is vulnerable To RCE. This vulnerability allows an attacker to gain full control of the operating system account hosting the affected component. In addition to the information flowing through the system, the exposed information might include secrets necessary to issue trusted requests to other TIBCO Spotfire servers. CVSSv3 of 9.9.
More info.

Some models of FortiAnalyzer and FortiManager have a default setting of "Failover", for remote IPMI access; this means that if no cable is plugged in the IPMI port, the IPMI implementation will request an IP address on the regular LAN port of the device, via DHCP requests, making the IPMI interface network accessible. This presents an operational risk, as this default behavior may not be known or understood by administrators of the device; the latter risk is more important if the default IPMI admin passwords have not been changed.
More info.

SUSE has updated openssl, firefox, openldap, python, and others.  More info.
OpenSUSE has updated curl.  More info.
CentOS has updated firefox and the kernel.  More info.

VMware has multiple vulnerabilities, including plain-text logging of credentials when creating virtual machines.
More info.

SUSE has updated django and curl.  More info.
OpenSUSE has updated samba and others.  More info.
RedHat has updated nginx and qpid-proton.  More info.
Oracle Linux has updated thunderbird.  More info.
Ubuntu has updated exim.  More info.

Simjacker is a vulnerability currently being actively exploited by a specific private company that works with governments to monitor individuals. The main Simjacker attack involves an SMS containing a specific type of spyware-like code being sent to a mobile phone, which then instructs the SIM Card within the phone to ‘take over’ the mobile phone to retrieve and perform sensitive commands. During the attack, the user is completely unaware that they received the attack, that information was retrieved, and that it was successfully exfiltrated.  Simjacker has been further exploited to perform many other types of attacks against individuals and mobile operators such as fraud, scam calls, information leakage, denial of service and espionage.
More info.

Mozilla has patched seven vulnerabilities, six rated High, in Thunderbird.
More info.

OpenBSD has patched libexpat, which contains a heap overflow vulnerability.
More info.

OpenSUSE has updated go, python, and others.  More info.
RedHat has updated thunderbird.  More info.
Debian has updated thunderbird.  More info.
Ubuntu has updated wireshark.  More info.
Mageia has updated wireshark, openldap, and others.  More info.

Avaya has issued 15 security bulletins for RedHat OS vulnerabilities, listing the products that are based on RHEL.
More info.

Multiple denial of service vulnerabilities have been identified in the Citrix SD-WAN Appliance and Citrix SD-WAN Center Management Console. These vulnerabilities could permit a remote attacker to cause a denial of service by causing a host crash or by causing reduced service capacity due to resource exhaustion.
More info.

SUSE has updated curl, python, and others.  More info.
Oracle Linux updated the kernel and others.  More info.
Ubuntu has updated curl, expat, and others.  More info.
Mageia has updated flash, thunderbird, firefox, squid, the kernel, and others.  More info.

The Philips WLAN Module in IntelliVue Monitors contains a security vulnerability. An attacker with access to the device’s local area network can cause potential corruption of the WLAN firmware and data flow. Should there be an interruption an inoperative device alert on the device and on its associated central station would appear.
More info.

A recently discovered security vulnerability affects Access Professional Edition (APE) installations. An unauthenticated attacker can achieve unauthorized access to sensitive data by exploiting Windows SMB protocol on a client installation.
More info.

A recently discovered hard-coded credentials security vulnerability affects Access Professional Edition (APE) installations. The vulnerability can be used to achieve unauthorized access to sensitive data of the APE system. This could enable a potential attacker to get unauthorized access to the site.  CVSSv3 score of 9.9
More info.

A specific crafted request may cause a stack-based buffer overflow and could therefore execute arbitrary code on the CODESYS ENI server or lead to a denial-of-service condition due to a crash in the CODESYS ENI server.  CVSSv3 score of 10.
More info.

It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
More info.

Trend Micro has released updates for Deep Security and Vulnerability Protection that resolves a vulnerability related to XML External Entitiy (XXE) attacks.
More info.

RSA BSAFE Crypto-C Micro Edition and RSA BSAFE Micro Edition Suite updates contain multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.
More info.

RedHat has updated flash, nginx, and others.  More info.
Oracle Linux updated the kernel and firefox.  More info.

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights
More info.

Delta Electronics TPEditor contains multiple vulnerabilities.  These vulnerabilities can be exploited by processing specially crafted project files, which may allow an attacker to remotely execute arbitrary code.
More info.

OSIsoft PI SQL Client contains a security vulnerability in a third-party component that could allow an attacker to remotely execute code on the client computer with the same permissions as the PI SQL Client user.
More info.

An unauthenticated, remote stack overflow vulnerability was identified in Advantech WebAccess/SCADA.
More info.

BIG-IP products contain a vulnerable version of wireshark.  An attacker can leverage this issue to stop the affected application and deny service to legitimate users.
More info.

Avaya one-X Client Enablement Services is built on RHEL6, which contains a vulnerable version of Firefox.
More info.

NetApp has published four new bulletins covering vulnerabilities in third-party software.
More info.

OnCommand Workflow Automation shipped without certain HTTP Security headers configured which could allow an attacker to obtain sensitive information via unspecified vectors.
More info.

OpenSUSE has updated nginx and others.  More info.
RedHat has updated firefox, the kernel, and others.  More info.
Ubuntu has updated curl, tomcat, and others.  More info.

Microsoft Monthly Patches are out, with updates for Microsoft Windows, Internet Explorer, Microsoft Edge, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Adobe Flash Player, Microsoft Lync, Visual Studio, Microsoft Exchange Server, .NET Framework, Microsoft Yammer, .NET Core, ASP.NET, Team Foundation Server, Project Rome.  There are 80 vulnerabilities, with 18 rated Critical, 3 publicly disclosed, and 2 exploited.  28 allow RCE.
More info.  And here.  And here.

Adobe Monthly Patches are out.  There are bulletins for Flash Player and Application Manager.
More info.

Adobe has released security updates for Flash Player for Windows, macOS, Linux and Chrome OS.  Successful exploitation could lead to arbitrary code execution in the context of the current user.
More info.

Adobe has released a security update for the Application Manager installer for Windows.  This update resolves an insecure library loading vulnerability in the installer that could lead to Arbitrary Code Execution.
More info.

OpenSSL has published a security update to fix a vulnerability that would allow an attacker with the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto, which may result in full key recovery during an ECDSA signature operation.
More info.

Eaton is aware of potential vulnerabilities in the Intelligent Power Protector (IPP) software.  No further information was provided.
More info.

Today is Siemens Monthly Patch Day.  There are seven new and three updated bulletins.
More info.

Siemens has evaluated DejaBlue in their Healthineer products, and published a list of affected products and remediation or expected patch dates.
More info.

RUGGEDCOM WIN70xx and WIN72xx Base Stations are affected by the VxWorks vulnerabilities published as Urgent/11.  Workaround published for now.
More info.

There is a XSS vulnerability in IE/WSN-PA Link WirelessHART Gateway. Only a workaround is provided.
More info.

A vulnerability could allow an attacker to cause a Denial-of-Service condition on the UDP communicationby sending a specially crafted UDP packet to the SIMATIC TDC CP51M1 module.  This one is patched.
More info.

Multiple Siemens products are vulnerable to TCP SACK PANIC.  Some patches, more coming.
More info.

The latest update for SINEMA Remote Connect Server fixes four vulnerabilities in the web interface.Two of the vulnerabilities are missing protection mechanisms for password guessing and for Cross SiteRequest Forgery attacks, the third one is a missing authentication check, and the fourth one could allowan attacker with administrative privileges to obtain a device password hash.
More info.

Schneider Electric Monthly Patches are out, with two new and two updated bulletins.
More info.

Schneider Electric is aware of multiple vulnerabilities in its U.motion din rail and touch panel servers.
More info.

Schneider Electric is aware of a vulnerability in its Modicon Quantum 140 NOE771x1 controllers.  An Improper Check for Unusual or Exceptional Conditions vulnerability exists, which could cause a DoS condition.
More info.

It's SAP Monthly Patch Day, with 10 new and three updated bulletins.  One new bulletin and the three updates are rated Hot News, one rated High, the rest Medium and Low.
More info.

SUSE updated java.  More info.
OpenSUSE has updated opera.  More info.
RedHat has updated bind, the kernel, firefox, and others.  More info.
Oracle Linux has updated the kernel.  More info.
Ubuntu has updated python and memcached.  More info.
Amazon Linux has updated exim.  More info.
Mageia has updated sqllite, java, poppler, php, irssi, tomcat, dovecot, python, and others.  More info.

Xerox has released updates for WorkCentre to fix the Wind River VxWorks vulnerabilities.
More info.

A potential vulnerability has been identified in Service Manager. An HTTP cookie vulnerability could be exploited to allow access to sensitive data in client-side.
More info.

Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor, including DoS and Information disclosure.
More info.

The Traffic Ops API component of the Apache Traffic Control project is vulnerable to improper authentication when LDAP is enabled. Given a username for a user that can be authenticated via LDAP, it is possible to improperly authenticate as that user without that user's correct password.
More info.

There are version downgrade vulnerabilities on smartphones and HiSuite. The device and HiSuite software do not validate the upgrade package sufficiently, so that the system of smartphone can be downgraded to an older version.
More info.

LibreOffice has updated to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step.
More info.

A Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym.
More info.

SUSE updated python pieces, apache, postgresql, mariadb, and others.  More info.
OpenSUSE has updated chromium, exim, and others.  More info.
Arch Linux has updated exim.  More info.
Ubuntu has updated exim.  More info.
Gentoo Linux has updated perl, apache, pango, exim, and others.  More info.
Mageia has updated sqllite, java, poppler, php, irssi, tomcat, dovecot, python, and others.  More info.

NETGEAR has published seven new security bulletins.  Two are Pre-Authentication vulnerabilities, four are for Information Disclosure vulnerabilities, and one is Security Misconfiguration.
More info.

If your Exim server accepts TLS connections, a local or remote attacker can execute programs with root privileges. This does not depend on the TLS libray, so both, GnuTLS and OpenSSL are affected. The vulnerability is exploitable by sending a SNI ending in a backslash-null sequence during the initial TLS handshake. The exploit exists as a POC.
More info.

Symantec Network Protection products using affected versions of the Linux kernel are susceptible to multiple vulnerabilities. A remote attacker can cause denial of service through resource exhaustion and memory corruption.
More info.

Symantec Network Protection products using affected versions of OpenSSL are susceptible to multiple vulnerabilities. An attacker can recover DSA, ECDH, and ECDSA private keys through timing side-channel attacks. A remote attacker can also decrypt encrypted ciphertext and modify OpenSSL configuration and executable engine modules.
More info.

BD Pyxis, a medication management platform, contains a vulnerability where existing access privileges are not restricted in coordination with the expiration of access based on active directory user account changes when the device is joined to an AD domain.  Note that these devices should not be joined to an AD domain.
More info.  And here.

Red Lion Controls Crimson software contains multiple vulnerabilities, including Use After Free, Improper Restriction of Operations within the Bounds of a Memory Buffer, Pointer Issues, and Use of Hard-coded Cryptographic Key.
More info.  And here.

Dell has published updates for EMC Cloud Tiering Appliance and Cloud Tiering Appliance Virtual Edition that correct security vulnerabilities in third-party software.
More info.

A vulnerability in a Kubernetes component used by Micro Focus CDF platform could be exploited to allow unauthorized modification of data and Denial of Service. The out-of-the-box configuration of the Kubernetes component is actually not vulnerable, but because customers may run custom commands, Micro Focus has issued a security bulletin.
More info.

NetApp has published three bulletins regarding vulnerabilities in third-party software in their products.
More info.

Asterisk has published two new security bulletins, covering DoS vulnerabilities that could cause the Asterisk server to crash.
More info.  And here.

SUSE updated python pieces, nginx, and others.  More info.
Oracle Linux has updated firefox, the kernel, and ghostscript.  More info.
Debian has updated firefox and exim.  More info.

NETGEAR has published 40 new security bulletins.  Six are Pre-Authentication vulnerabilities, while 26 are for Post-Authentication vulnerabilities.  Stored XSS, DoS, and SQL Injection make up the remaining bulletins.
More info.

Data Protection Central contains an Improper Certificate chain of trust vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by obtaining a CA signed certificate from Data Protection Central to be able to impersonate a valid system to compromise the integrity of data.
More info.

The Oracle database components in RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance require a security update to address various vulnerabilities.
More info.

Xerox has updated Oracle, Java, and Firefox in their FreeFlow Print Servers.
More info.  And here.

A vulnerability was discovered in the web user interface of the F-Secure Security and F-Secure Email and Server Security product. The authentication on the web user interface can be bypassed which will grant administrator privileges of the product.  This issue and a Proof-of-Concept exploit was reported privately to F-Secure.  Default configuration only allows localhost access.
More info.

NetApp has published three bulletins regarding vulnerabilities in third-party software in their products.
More info.

Cisco has published eight bulletins, 2 rated High, 5 Medium, and 1 Informational.
More info.

A vulnerability in the “plug-and-play” services component of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to access sensitive information on an affected device.
More info.

A vulnerability in the Cisco Webex Teams client for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system.An attacker could exploit this vulnerability by convincing a targeted user to visit a website designed to submit malicious input to the affected application.
More info.

SUSE updated java, python, and the kernel.  More info.
RedHat has updated firefox, chromium, and others.  More info.
Ubuntu has updated firefox, and irssi.  More info.

Google has published the Android Monthly Patches bulletin.  There are 35 addressed vulnerabilities, plus Qualcomm.  Two of the vulnerabilities are rated Critical and allow RCE, the rest are rated High.
More info.

The Pixel Monthly bulletin addresses 46 vulnerabilities.  Two are rated High, the rest Moderate.
More info.

Qualcomm Monthly Patches are out, with 13 vulnerabilities, 2 rated Critical, the rest rated High.
More info.

Mozilla has fixed multiple security vulnerabilities in the latest releases of Firefox and Firefox ESR.
More info.  And here.  And here.

Tor has released a new version with security fixes to Firefox included.
More info.

CA Common Services, in the Distributed Intelligence Architecture (DIA) component, contains a vulnerability that can allow a remote attacker to execute arbitrary code.
More info.

In EZAutomation EZ Touch Editor and EZ PLC Editor an attacker could use a specially crafted project file to overflow the buffer and execute code under the privileges of the application. 
More info.  And here.

Aruba has released updates to ArubaOS that address serious vulnerabilities present in some versions running on the Aruba Mobility Controller. An attacker could use these vulnerabilities to execute arbitrary code on the underlying operating system with full system privileges.
More info.

SUSE updated php, java, and others.  More info.
OpenSUSE has updated postgresql and others.  More info.
Arch Linux has updated firefox and webkit2gtk.  More info.
RedHat has updated the kernel and others.  More info.
Oracle Linux has updated squid and others.  More info.

A group of vulnerabilities named "USBAnywhere," leverages several newly discovered vulnerabilities in the firmware of BMC controllers that could let an unauthorized, remote attacker connect to a Supermicro server and virtually mount malicious USB device.
More info.

SUSE updated php and others.  More info.
OpenSUSE has updated go, apache, libreoffice, and others.  More info.
Ubuntu has updated the kernel.  More info.

IBM is reporting new software versions for the Vyatta 5600 vRouter correcting multiple vulnerabilities.  Highest CVSSv3 is 9.8
More info.  And here.

In a rare scenario, R80.30 Security Gateway managed by R80.30 Security Management crashes when Threat Prevention Forensics feature is enabled.
More info.

Check Point Endpoint Security Initial Client for Windows tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed.
More info.

SUSE updated the the kernel and perl, django, and others.  More info.
RedHat has updated squid, java, and others.  More info.
Debian has updated nghttp2.  More info.
Gentoo Linux has updated dovecot and others.  More info.
Mageia has updated webmin, pango, python, memcached, and others.  More info.