Flexera is unable to effectively track Red Hat OpenJDK on Windows systems due to inconsistent and conflicting identification information. They recommend a different JDK version.
More info.

ISC BIND is vulnerable to a denial of service, caused by the failure to limit the number of fetches performed when processing referrals. BIND is used by Power Hardware Management Console (HMC). Highest CVSSv3 score of 8.6
More info.

libssh vulnerabilities could allow a remote attacker to execute code on the client system when a user connects to the server. Highest CVSSv3 score of 7.5
More info.

NetApp has published five new bulletins covering vulnerabilities in third-party software included in NetApp products.  No patches yet.
More info.

The zerologon vulnerability allows remote attackers to bypass security constraints via a susceptible version of Synology Directory Server. CVSSv3 score of 10.
More info.

SUSE has updated jasper, rugygem, and others. More info.
OpenSUSE has updated perldbi and others.  More info.
Debian has updated modsecurity and one other.  More info.
Ubuntu has updated exim spamassassin. More info.

Multiple vulnerabilities have been discovered in Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP appliance.  These include a DoS originating from the management network that can be executed by an unauthenticated attacker.
More info.

NETGEAR has published 35 new security bulletins, covering many products and vulnerabilities.  Vulnerabilities include pre-authentication buffer overflow and command execution, authentication bypass, admin credential disclosure, XSS, and others.
More info.

Multiple security vulnerabilities have been identified in the HPE Pay Per Use Utility Computing Service (UCS) Meter. These vulnerabilities could lead to unauthenticated remote disclosure of information and code execution.  This product is EoL.
More info.

In versions of ALEOS, enabling Application Framework would enable a LAN-side unauthenticated Lua RPC server. IOActive has demonstrated that this RPC server permits remote code execution when enabled. CVSSv3 score of 8.1
More info.

Multiple issues was discovered in the mymbCONNECT24 and mbCONNECT24 software, including SQL Injection, CSRF, SSRF, and RCE via outdated third-party software.  Highest CVSSv3 score of 9.8
More info.

The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable. CVSSv3 score of 9.8
More info.

SUSE has updated samba, perl dbi, and others. More info.
Ubuntu has updated gnupg, pure-ftpd, samba, and others. More info.

Microsoft has released security updates for Microsoft Office for Mac.  This patches an Excel RCE vulnerability that has already been patched in Windows products.
More info.

CODESYS products use the Wibu CodeMeter software that contains critical security vulnerabilities.  Highest CVSSv3 score of 10.  Patches expected by the end of the month.
More info.

Apple has published security updates for iOS, iPadOS, Safari, tvOS, watchOS, xCode, and iTunes for Windows.
More info.

ABB Automation Builder uses the Wibu CodeMeter software that contains critical security vulnerabilities.  Detailed mitigation instructions included.  Highest CVSSv3 score of 10.
More info.

Oracle Linux has updated thunderbird and mysql.  More info.
Ubuntu has updated samba, perl dbi, and others. More info.
Mageia has updated libraw. More info.
Amazon Linux has updated java and clamav. More info.

Multiple vulnerabilities exist in various Video Over IP (Internet Protocol) encoder devices, also known as IPTV/H.264/H.265 video encoders. These vulnerabilities include hardcoded backdoor passwords, and allow an unauthenticated remote attacker to execute arbitrary code and perform other unauthorized actions on a vulnerable system.
More info. And here.

SPRECON-V460 products use the Wibu CodeMeter software that contains critical security vulnerabilities.  Highest CVSSv3 score of 10
More info. And here.

Multiple security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance. Highest CVSSv3 score of 9.8
More info.

IBM Cloud Transformation Advisor has addressed multiple Node.js vulnerabilities. Highest CVSSv3 score of 9.8
More info.

A publicly disclosed vulnerability in Eclipse Jetty is present in IBM eDiscovery Analyzer. CVSSv3 score of 9.4
More info.

Aruba has released updates to products affected by Linux Kernel vulnerabilities known as TCP SACK PANIC. Successful exploitation of the most severe of these vulnerabilities could allow a remote attacker to trigger a kernel panic and impact the system availability.
More info.

Four memory corruption vulnerabilities in the Aruba CX Switches have been found. Successful exploitation of these vulnerabilities could result in Local Denial of Service of both LLDP (Link Layer Discovery Protocol) and CDP (Cisco Discovery Protocol) processes in the switch. CVSSv3 score of 7.5
More info.

FreeBSD has updated ftpd, ure, and others.
More info.

SUSE has updated openssl and perl. More info.
Arch Linux has updated netbeans.  More info.
RedHat has updated mysql.  More info.
Ubuntu has updated apache xml-rpc, log4j, gupnp, and others. More info.
Mageia has updated zeromq. More info.

Public exploit code is available for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft’s Netlogon. Patches came out in August, but CVSSv3 score is 10, so if you haven't patched you're at risk.
More info. And here.

IBM Maximo Asset Management is vulnerable to Java Deserialization.
More info.

NETGEAR has released fixes for an authentication bypass security vulnerability in several product models.  Remote Management being on is required to exploit this vulnerability.
More info.

A potential security vulnerability has been identified in Hewlett Packard Enterprise Universal API Framework. The vulnerability could be remotely exploited to allow SQL injection.  CVSSv3 score of 5.3
More info.

SUSE has updated the kernel, firefox, and ship. More info.
OpenSUSE has updated libxml2.  More info.
Arch Linux has updated netbeans.  More info.
RedHat has updated chromium, dovecot, and librepo.  More info.
Oracle Linux has updated the kernel.  More info.
CentOS has updated thunderbird and dovecot. More info.
Ubuntu has updated gupnp and cryptsetup. More info.

There exists a potential domain name collision vulnerability in SonicWall SSL-VPN technology that could result from a security misconfiguration of the impacted products.
More info.

An authentication bypass vulnerability exists in Apache ActiveMQ. The vulnerability exists due to an error in the authentication process, allowing a remote attacker to bypass authentication process and execute arbitrary code on the target system.
More info.

SUSE has updated tomcat, libxml2, and others. More info.
OpenSUSE has updated openldap2 and others.  More info.
RedHat has updated httpd.  More info.
Gentoo Linux has updated proftpd, php, zeromq, and others. More info.

A number of Pilz software tools use the WIBU-SYSTEMS CodeMeter Runtime application to manage licenses. This application contains a number of vulnerabilities, which enable an attacker to change and falsify a license file, allow DoS, and potentially execute arbitrary code. Highest CVSSv3 score of 10
More info.

Lenovo has reported vulnerabilities in several graphics, BIOS, and chip components.
More info.

The 2020 R3 OS Security Update addresses multiple third-party components within the listed Dell EMC Avamar and NetWorker products that require a security update to address various vulnerabilities.  Dell rates this Critical.
More info.

BIG-IP platforms with Cavium Nitrox SSL hardware acceleration cards and a very specific configuration may be vulnerable to crafted SSL/Transport Layer Security (TLS) handshakes that may result with a pre-master secret (PMS) that starts in a 0 byte and may lead to a recovery of plaintext messages. CVSSv3 score of 7.4
More info.

The ntpd in F5 products allows remote attackers to cause a DoS, either daemon exit or system time change, by predicting transmit timestamps for use in spoofed packets. Highest CVSSv3 score of 7.4
More info.

NetApp has published six new bulletins outlining vulnerabilities in third-party components included in NetApp products. No patches yet for most.
More info.

SUSE has updated the kernel, gimp, and others. More info.
OpenSUSE has updated go.  More info.
RedHat has updated chromium.  More info.
Oracle Linux has updated .net core, dovecot, and the kernel. More info.

A vulnerability identified in jackson-databind shipped with IBM Cloud Pak System could allow a remote attacker to execute arbitrary code on the system by sending specially-crafted input.
More info.

VMT MSS and VMT IS contains several vulnerabilities in WIBU SYSTEMS CodeMeter components. Highest CVSSv3 score of 10
More info.

ABB has several products affected by the WIBU-Systems Codemeter software vulnerabilities. Highest CVSSv3 score of 10
More info.

Multiple components within Dell EMC Data Protection Central require a security update to address various vulnerabilities.   Dell rates this Critical
More info.

SUSE has updated the kernel and others. More info.
Arch Linux has updated chromium. More info.
RedHat has updated httpd, dovecot, and openstack-nova.  More info.
Oracle Linux has updated postgresql and one other. More info.
Gentoo Linux has updated chromium. More info.

Palo Alto Networks Monthly Patches are out. One is rated Critical, five are rated High.  Highest CVSSv3 score of 9.8
More info.

A buffer overflow vulnerability in PAN-OS allows an unauthenticated attacker to disrupt system processes and potentially execute arbitrary code with root privileges by sending a malicious request to the Captive Portal or Multi-Factor Authentication interface.
More info.

Rockwell Automation has published a bulletin regarding vulnerabilities in Wibu-Systems’ CodeMeter. These vulnerabilities may result in remote code execution, privilege escalation, or DoS to the products dependent on CodeMeter. CodeMeter is distributed as part of the installation for FactoryTalk Activation Manager. Highest CVSSv3 score of 10
More info.

Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT installation. All currently existing e!COCKPIT installation bundles contain vulnerable versions of WIBU-SYSTEMS Codemeter. Highest CVSSv3 score of 10
More info.

Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is used by several Phoenix Contact products. Highest CVSSv3 score of 10
More info. And here.

Google has published an update for Chrome for Desktop with 5 security fixes, all rated High.
More info.

Improper buffer restrictions in network subsystem in provisioned Intel AMT and Intel ISM may allow an unauthenticated user to potentially enable escalation of privilege via network access.  CVSSv3 score of 9.8
More info.

Samsung Mobile has put out a maintenance release for major flagship models as part of monthly Security Maintenance Release (SMR) process. This SMR package includes patches from Google and Samsung.
More info.

AVEVA Software has created a security update to address SQL Injection vulnerabilities in AVEVA Enterprise Data Management Web. The vulnerabilities exist in a component of eDNA Web and could allow a malicious entity to execute arbitrary SQL commands under the privileges of the account configured in eDNA Web for SQL access. Highest CVSSv3 score of 9.6
More info.

SUSE has updated openldap and the kernel. More info.
OpenSUSE has updated the kernel, thunderbird, firefox, and others. More info.
RedHat has updated .net core and others.  More info.
Oracle Linux has updated thunderbird and librepo. More info.
Ubuntu has updated gnutls and libx11. More info.

Qualcomm Monthly Patches are out, with 5 addressed CVEs, 1 rated Critical, 3 rated High, and the last Medium.  Three additional CVEs were addressed in Open Source software. Two vulnerabilities have an Access Vector of Remote.
More info.

Android Monthly Patches have been published with 36 addressed CVEs, plus Qualcomm closed-source component CVEs.  Three are rated Critical, two allow RCE.
More info.

The Pixel Monthly Software Update addresses 27 CVEs, plus Qualcomm closed-source component CVEs. No Critical vulnerabilities, although 3 allow RCE.
More info.

Adobe Monthly Security Bulletin updates include Experience Manager, Framemaker, and InDesign. All three updates address Critical vulnerabilities and allow arbitrary code execution.
More info.

Microsoft Monthly Patches include fixes for 129 vulnerabilities. Of these, 23 are Critical, highest CVSSv3 score of 9.9
More info. And here.

Siemens Monthly Patches are out, with 9 new bulletins, and 10 updated bulletins. Vulnerabilities present include XSS, insecure storage and transmission of sensitive information, DoS, RCE, and others.
More info.

Six vulnerabilities exist in different versions of CodeMeter Runtime, a product provided by WIBU Systems and used in several Siemens and Siemens Energy products for license management. Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a DoS, attain remote code execution, or prevent normal operation. Highest CVSSv3 score of 10
More info.

SIMATIC HMI Products are affected by two vulnerabilities that could allow a remote attacker to discoveruser passwords and obtain access to the Sm@rt Server via a brute-force attack. Highest CVSSv3 score of 6.5.  No patches yet.
More info.

Schneider Electric has one bulletin listed, but the bulletin isn't available.  The full Monthly Patch set may not be out yet.  The bulletin overview reads: Schneider Electric is aware of multiple vulnerabilities in the SCADAPack 7x Remote Connect and the SCADAPack x70 Security Administrator applications.
More info.

SAP Security Patch Day saw the release of 10 new Security Notes and 6 updated Security Notes. Four are rated Hot News, two rated High, the rest Medium and Low. Bulletins cover Missing Authentication, Improper Authorization, XSS, Improper Input Validation, and other vulnerabilities.
More info.

SUSE has updated go and firefox. More info.
RedHat has updated postgresql, php, and others.  More info.
Arch Linux has updated gnupg.  More info.
Ubuntu has updated the kernel. More info.

SUSE has updated the kernel, firefox, and thunderbird.  More info.
OpenSUSE has updated php, curl, squid, and others. More info.
RedHat has updated thunderbird and jboss.  More info.
Oracle Linux has updated squid. More info.
Gentoo Linux has updated gnutls and dovecot. More info.
Mageia has updated postgresql and python. More info.

Dell has published an update for third-party software included in VxRail Appliance. Dell rates this update Critical.
More info.

Dell has updated Java SE in Dell EMC NetWorker Runtime Environment (NRE). Dell rates this High.
More info.

Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour.  Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker.
More info.

NetApp has published six new bulletins outlining vulnerabilities in third-party software included in their products.  No patches yet.
More info.

SUSE has updated php, java, the kernel, and others.  More info.
Arch Linux has updated python-django, ark, and go. More info.
RedHat has updated squid.  More info.
Oracle Linux has updated the kernel and dovecot. More info.
Ubuntu has updated the kernel.  More info.
Mageia has updated squid and others. More info.
Scientific Linux has updated dovecot. More info.
Amazon Linux has updated the kernel, python, and chrony. More info.

Cisco has published 15 new bulletins and one updated.  Of the new bulletins, one is rated Critical, a vulnerability in Cisco Jabber.  Four are rated High, only one of those allows exploit by remote attackers, Jabber again.  The rest are Medium, of those two are DoS and info exposure in ESA by remote attackers.
More info.

A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. An attacker could exploit this vulnerability by sending specially crafted XMPP messages. CVSSv3 score of 9.9
More info.

A vulnerability in the application protocol handling features of Cisco Jabber for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands by convincing a user to click a link within a message sent by email or other messaging platform. CVSSv3 score of 8.8
More info.

A vulnerability in the TLS protocol implementation of Cisco AsyncOS software for Cisco ESA could allow an unauthenticated, remote attacker to cause high CPU usage on an affected device, resulting in a DoS. The vulnerability is due to inefficient processing of incoming TLS traffic. CVSSv3 score of 5.3
More info.

A vulnerability in the web-based management interface of Cisco AsyncOS software for Cisco ESA could allow an unauthenticated, remote attacker to access sensitive information on an affected device. CVSSv3 score of 5.3
More info.

IBM Security Guardium may use insufficiently random numbers or values in a security context that depends on unpredictable numbers. Rated Critical by IBM, CVSSv3 score of 5.3
More info.

Mozilla has published an update for Firefox for Android with several security fixes, one rated High.
More info.

SUSE has updated php, java, squid, and others.  More info.
RedHat has updated dovecot.  More info.

Due to improper validation of data prior to export, IBM Spectrum Protect Operations Center may allow an attacker to execute arbitrary code on the system. CVSSv3 score of 9.1
More info.

SUSE has updated squid, apache2, and curl.  More info.
OpenSUSE has updated postgresql, opera, and samba.  More info.
CentOS has updated firefox.  More info.
Ubuntu has updated x.org server, the kernel, libx11, and others.  More info.
Mageia has updated putty and mutt.  More info.

Cisco made significant changes to the bulletin regarding the DVMRP feature of Cisco IOS XR Software.  Worth a look again. No patches yet.  Currently being exploited.
More info.

IBM has published nine bulletins outlining vulnerabilities in Faster-XML jackson-databind that affect IBM Operations Analytics Predictive Insights. Highest CVSSv3 score of 9.8
More info.

IBM has published two bulletins outlining vulnerabilities in Faster-XML jackson-databind and Apache Log4j that affect IBM Security Guardium Insights. Highest CVSSv3 score of 9.8
More info. And here.

Rsyslog is vulnerable to heap-based buffer overflows which may affect IBM Spectrum Protect Plus. CVSSv3 score of 9.8
More info.

Xerox has published software for FreeFlow Print Server that includes Solaris, Java, and Firefox updates.
More info. And here.

SUSE has updated chromium, freerdp, and others.  More info.
OpenSUSE has updated chromium and others.  More info.
RedHat has updated libvncserver and others.  More info.
Oracle Linux has updated several packages.  More info.
Debian has updated apache2.  More info.
Ubuntu has updated python-rsa, django, and others.  More info.
Amazon Linux has updated python, ruby, samba, and others.  More info.

A vulnerability in the DVMRP feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for IGMP packets. No patches yet.  Currently being exploited.
More info.

Microsoft has updated chromium-based Edge with the latest chromium updates.
More info.

There is a vulnerability in the TCP protocol stack of several Mitsubishi Electric products that allows an attacker to impersonate the legitimate communication peer due to improper session management. If this vulnerability is exploited by an attacker, the attacker can impersonate a legitimate device and execute arbitrary commands, which may cause information disclosure, information tampering or destruction, and so on. Some updates, some workarounds.
More info.

SICK received a report about a security vulnerability within the platform mechanism AutoIP, used by multiple devices. Improper handling of exceptional conditions can lead to a reboot of the device, if parsing malformed network packets. CVSSv3 score of 7.5
More info.

Trend Micro has released two patches for Deep Security Manager and Vulnerability Protection. If LDAP authentication is enabled, an unauthenticated attacker with prior knowledge of the targeted organization may be able to bypass manager authentication. CVSSv3 score of 8.1
More info.

Security vulnerabilities in the HP-UX Tomcat-based Servlet Engine could be exploited remotely to create a Cache Poisoning or Security Constraint Bypass. Highest CVSSv3 score of 9.8
More info.

Tenable research discovered a DoS vulnerability in IBM Spectrum Protect. An unauthenticated, remote attacker can use a series of specially crafted messages to terminate the dsmsvc and dstasvc (Storage Agent) processes. CVSSv3 score of 7.5
More info.

IBM Watson Discovery for IBM Cloud Pak for Data contains vulnerable versions of FasterXML jackson-databind and Apache Spark.
More info.  And here.

The modern IIS module fails to catch and handle exceptions that result from failed attempts to read data from the HTTP client socket. Because it is possible experimentally to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker.
More info.

OpenSUSE has updated apache2, grub2, and others.  More info.
RedHat has updated git.  More info.
Debian has updated thunderbird and others.  More info.
Gentoo Linux has updated bind, kleopatra, openjdk, and others.  More info.
Mageia has updated the kernel, thunderbird, and others.  More info.