Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 553
Alerts This Week
Warning Icon 1 553

Stay Ahead With Linux Security Features

Filter%20icon Refine features
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is application sandboxing truly safe?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/155-is-application-sandboxing-truly-safe?task=poll.vote&format=json
155
radio
0
[{"id":500,"title":"Malware still escapes container walls.","votes":0,"type":"x","order":1,"pct":0,"resources":[]},{"id":501,"title":"Supply chains corrupt trusted packages.","votes":0,"type":"x","order":2,"pct":0,"resources":[]},{"id":502,"title":"Convenience consistently compromises strict security.","votes":1,"type":"x","order":3,"pct":100,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security features

We found 3 articles for you...
102

Critical NGINX Vulnerability CVE-2026-42945: What Linux Admins Should Check Now

New flaw leads to denial-of-service on affected NGINX configurations. If ASLR is disabled, it may become a remote code execution. . Known as NGINX Rift, CVE-2026-42945 affects NGINX’s ngx_http_rewrite_module and can allow unauthenticated attackers to crash worker processes with crafted requests. That matters because NGINX often sits at the edge of Linux infrastructure, handling web traffic, redirects, reverse proxy rules, API routing, load balancing, and application delivery. The configuration requirement may look narrow at first, but active exploitation changes the urgency. Vulnerable rewrite rules can sit in production for years without anyone reviewing them closely, leaving exposed NGINX servers as more than just another routine patch item. For Linux administrators, the immediate question is simple. Are any internet-facing NGINX systems using risky rewrite patterns, and have they been updated through official vendor channels? What You Need To Know CVE-2026-42945 affects NGINX Plus and NGINX Open Source. The flaw exists in the ngx_http_rewrite_module . The issue is tied to rewrite configurations using unnamed PCRE captures such as $1 or $2 , with replacement strings that include a question mark. An unauthenticated attacker can send crafted HTTP requests to trigger a heap buffer overflow in the NGINX worker process. The most likely impact is denial of service through worker crashes and restarts. Remote code execution may be possible in weakened environments, especially where ASLR is disabled. Administrators should prioritize official NGINX and vendor update s, then audit rewrite rules across internet-facing systems. Who Should Prioritize This First Not every NGINX server is automatically vulnerable. The risk depends on version, configuration, exposure, and whether vulnerable rewrite logic is reachable by an attacker. Still, some environments should move faster than others. Administrators should prioritize: Internet-facing NGINXservers Reverse proxies handling untrusted traffic API gateways using rewrite rules Kubernetes ingress deployments based on NGINX behavior Older virtual host configurations inherited from previous applications Containers or images that package NGINX directly Systems using unnamed capture references such as $1 or $2 Linux systems where ASLR has been disabled This is especially important for servers that have accumulated rewrite logic over time. Redirects, backend mappings, language routing, legacy URL support, and API path changes are often copied between systems and forgotten. That is where risk can sit unnoticed. Why This NGINX Flaw Matters NGINX is everywhere in Linux environments. It sits in front of web apps, Kubernetes ingress controllers, API gateways, cloud services, containers, and internal dashboards. In many environments, it is the first layer that handles untrusted traffic before a request ever reaches the application. That is what makes this flaw different from a bug buried deep inside one service. An attacker does not need shell access. They do not need stolen credentials. They do not need to reach the backend directly. If the vulnerable rewrite configuration is exposed, crafted HTTP requests may be enough to crash NGINX worker processes and disrupt availability. In production, that could look like intermittent 502 errors, failed API calls, broken redirects, unstable ingress behavior, or repeated worker restarts. In shared reverse proxy or Kubernetes environments, one exposed traffic layer may affect several services behind it. The second concern is how quickly bugs in edge-facing services attract attention. CVE-2026-42945 affects a widely used component and sits in rewrite logic that many teams probably have not reviewed in years. Public proof-of-concept activity has also been reported, which makes patching and configuration review harder to delay. What Makes CVE-2026-42945 Important The vulnerability is not triggered simply because NGINXis installed. According to F5’s advisory , the flaw exists when a rewrite directive is followed by a rewrite, if, or set directive and an unnamed PCRE capture, such as $1 or $2 , is used with a replacement string that includes a question mark. Under those conditions, crafted HTTP requests may cause a heap buffer overflow in the NGINX worker process. That creates a practical problem for Linux teams. Rewrite rules are often old. They are copied between servers, inherited from previous application versions, reused across reverse-proxy templates, and buried in site configs that no one has touched in years. In large environments, administrators may not immediately know which NGINX deployments use vulnerable rewrite patterns. That delay matters in response, since the vulnerability reportedly dates back many years, meaning older, long-lived systems may be exposed if they have not been updated through vendor channels. Old configuration logic has a way of surviving infrastructure migrations. A server might move from bare metal to the cloud. A site might move behind a load balancer. A service might become part of a containerized platform. But the rewrite rules often stay almost exactly the same. Quick 5-Minute Check Administrators should begin by identifying where NGINX is running, especially on internet-facing Linux systems. Check installed NGINX versions: nginx -v Review the active configuration: nginx -T Search for rewrite directives: nginx -T 2> /dev/null | grep -n "rewrite" Search for unnamed capture references: nginx -T 2> /dev/null | grep -E '\$[0-9]' Administrators should pay close attention to rewrite logic that uses captures such as $1 or $2 , especially when the replacement string includes a question mark. Additional priorities should include: Reviewing NGINX virtual host and site configuration files Checking reverse proxy and API gateway rewrite rules Auditing Kubernetes ingress configurations that rely on NGINX behavior Reviewing container images that package older NGINX versions Confirming whether ASLR is enabled on Linux systems Prioritizing externally reachable NGINX deployments first This quick check will not replace patching, but it can help teams find the highest-risk systems faster. Patching Is the Priority The safest response is to update NGINX through official channels. Administrators should apply fixes from F5, NGINX, or their Linux distribution rather than manually modifying source code or relying only on partial configuration changes. Organizations should monitor advisories and package updates from: Red Hat Ubuntu Debian Fedora SUSE AlmaLinux Rocky Linux NGINX upstream sources Cloud image and container image providers should also be checked closely. NGINX is often embedded in base images, reverse proxy containers, ingress controllers, and application delivery stacks. Updating the host operating system alone may not update every NGINX instance running across the environment. That is where teams often miss exposure. A patched server does not help if an older NGINX container is still deployed in production. Temporary Mitigation Requires Configuration Review For organizations that cannot patch immediately, configuration review becomes the next priority. F5’s advisory indicates that the vulnerable condition involves unnamed PCRE captures in certain rewrite patterns. Some reports have recommended replacing unnamed captures, such as $1 and $2 , with named captures where appropriate, but this should be tested carefully before production rollout. Administrators should be careful here. Rewrite rules can affect routing, redirects, authentication flows, API paths, application compatibility, SEO behavior, and backend request handling. A rushed change can break production traffic even if the security goal is valid. The better approach is controlled review: Identify exposed NGINX systems Find rewrite rules using unnamed captures Map whichapplications depend on those rules Test named-capture replacements in staging Deploy patched NGINX packages as soon as they are available Monitor logs for crashes, abnormal requests, and repeated worker restarts Temporary configuration changes can reduce exposure, but they should not become a substitute for patching. Why ASLR Still Matters One of the more important details in the current reporting is the difference between denial of service and code execution. On default hardened Linux systems, the most likely impact appears to be worker process crashes and restarts. That can still be serious, especially against high-traffic services where repeated crashes can degrade availability. But remote code execution becomes a larger concern when exploit mitigations are weakened. ASLR, or Address Space Layout Randomization, makes memory corruption exploitation harder by randomizing where code and data are loaded in memory. If ASLR is disabled, attackers may have a more reliable path from memory corruption to code execution. Administrators can check ASLR status with: cat /proc/sys/kernel/randomize_va_space A value of 2 generally indicates full randomization. A value of 0 means ASLR is disabled. If ASLR is disabled on exposed Linux systems, that should be treated as a serious hardening gap beyond this one vulnerability. Memory corruption flaws become more dangerous when basic exploit mitigations are turned off. Cloud and Kubernetes Environments Need Extra Review This gets more complicated in cloud and Kubernetes environments. If a vulnerable rewrite rule is exposed through an ingress controller or reverse proxy, the impact may not stop at one application. Crafted requests could repeatedly crash NGINX worker processes, trigger restarts, break routing, or affect several services sitting behind the same ingress layer. Cloud-hosted reverse proxies and API gateways run into the same problem. NGINX is used because it is fast, flexible, and familiar. But thatflexibility is also where old risk builds up. Teams add redirects, backend mappings, path normalization, language routing, legacy URL support, and API rewrites. Then those rules get copied, reused, migrated, and forgotten. Years later, they may still be running in production. That is why teams should check more than just traditional Linux servers. They should also review container images, Helm charts, ingress controller configurations, CI/CD deployment templates, and cloud images that include NGINX. Default Impact vs. Weakened-System Impact The impact depends heavily on configuration and hardening. Condition Likely Risk Vulnerable rewrite config exposed NGINX worker crash or denial of service ASLR enabled Exploitation is harder ASLR disabled Remote code execution risk may increase NGINX is used in the ingress or shared proxy layer Multiple services may be affected The older NGINX container is still deployed Host patching may not fully remove exposure This is why administrators should treat the issue as both a patching task and a configuration review task. Immediate Actions for Linux Admins Patch affected NGINX deployments immediately. Audit rewrite rules using unnamed captures such as $1 and $2 . Prioritize internet-facing NGINX servers and reverse proxies. Check container images and Kubernetes ingress deployments. Confirm ASLR is enabled on exposed Linux systems. Monitor logs for worker crashes, abnormal requests, and restart loops. Review vendor advisories for updated NGINX packages. Test any rewrite-rule mitigation before production rollout. Why Exposed Infrastructure Bugs Still Matter Linux servers now sit underneath nearly every modern environment. They power web applications, containers, cloud platforms, CI/CD systems, internal tools, and customer-facing services. Attackers know that edgeservices are valuable because they process untrusted traffic all day. A flaw in a public-facing web server, reverse proxy, or ingress layer can create immediate operational risk, even before attackers reach the application behind it. CVE-2026-42945 is a reminder that mature infrastructure components still need close attention. Old code paths, legacy rewrite behavior, and inherited configuration patterns can carry risk for years. Because in modern Linux environments, attackers do not always need to compromise the application first. Sometimes, they only need the traffic layer in front of it. Want more Linux security breakdowns and vulnerability response checklists? Subscribe to our newsletter for weekly infrastructure, hardening, and security updates. Related Reading Enhance Nginx Security With 25 Best Practices for Linux Linux Security in 2026 Hardening Monitoring and Defense Strategies Container Security Misconfigurations Kubernetes Threats Understanding Container Security Best Practices for Linux Admins The Linux Kernel in 2025: Security Enhancements, Emerging Threats & Best Practices . Known as NGINX Rift, CVE-2026-42945 affects NGINX’s ngx_http_rewrite_module and can allow unauthen. leads, denial-of-service, affected, nginx, configurations, disabled. . MaK Ulac

Calendar%202 May 18, 2026 User Avatar MaK Ulac
102

Why Red Hat’s krb5 Update Matters for Linux and Windows Authentication 

Red Hat released an Important krb5 security update for Red Hat Enterprise Linux 8 this week, addressing two vulnerabilities tracked as CVE-2026-40355 and CVE-2026-40356. On paper, it looks like another Linux package advisory. . Kerberos sits within the authentication layer that many enterprises use to connect Linux systems, Windows domains, Active Directory, file services, internal applications, and privileged-access workflows. When krb5 needs a security update, the concern is not just the package itself. It is the trust path behind it. The advisory listed in today’s security feed identifies RHSA-2026:16799 as an Important krb5 security update for RHEL 8. The issue is tied to MIT Kerberos 5 and specific NegoEx handling conditions that could allow an unauthenticated remote attacker to crash an affected process. This is not being described as credential theft or a full authentication bypass. That matters. But authentication-layer availability still matters, especially in mixed Linux and Windows environments where Kerberos helps determine who gets access to what. What Red Hat Fixed in the krb5 Update The update fixes two flaws in how MIT Kerberos 5 handles certain NegoEx authentication data. Instead of letting an attacker take over a system, the reported impact is that a specially crafted request could crash an affected process. For Linux teams, that still matters. krb5 often sits close to login flows, service authentication, identity integrations, and access control. A crash in the wrong process can interrupt more than one user session. It can affect file access, application access, administrative workflows, and service-to-service authentication. That is why Linux administrators should not dismiss the update simply because the impact reads like a denial-of-service attack. Why This Is More Than a Routine Package Update A RHEL system may use Kerberos directly. It may use SSSD. It may authenticate users through Active Directory . It may support Samba file shares, internal webapplications, automation systems, or administrative access that depends on Kerberos tickets in the background. In those environments, krb5 is not just another package. It is part of the access path. If that path breaks, the effect is operational first. Users cannot log in. Services fail to authenticate. File shares stop behaving correctly. Admins lose reliable access when they need it most. Logs fill with authentication errors that may obscure other activity. Those are not always breach scenarios, but they are security problems. Availability is part of security when the system being disrupted controls identity. Why Active Directory Environments Should Pay Attention Kerberos is closely tied to Microsoft Active Directory , but Linux systems rely on it too. In many organizations, Linux and Windows infrastructure share the same authentication backbone. A Linux server joined to Active Directory may use Kerberos to validate users, obtain tickets, and participate in domain-based access control. That makes this a Linux update with a Windows-relevant impact area. A Windows-heavy organization may still run Linux database servers, web applications, file services, monitoring platforms, container hosts, developer tooling, and CI/CD runners. If those systems authenticate through Active Directory, krb5 becomes part of the same identity chain. Not in the idea that this is a Windows vulnerability. It is not. The risk is that Linux systems often sit inside Windows-managed identity environments, and authentication flaws on one side can still affect the shared infrastructure on which both sides depend. How Authentication Outages Can Turn Into Security Problems The reported issue is narrower than a full Kerberos compromise. It depends on specific NegoEx handling conditions, and the public impact centers on crashing affected processes. That should keep the story grounded. Still, authentication bugs deserve attention because they sit close to critical workflows. A denial-of-service issue inauthentication can disrupt logins, interrupt access to internal systems, break service authentication, or create pressure during an incident. When users cannot authenticate, teams often move fast. Sometimes too fast. They restart services, bypass controls, delay policy enforcement, or open temporary access paths just to restore operations. Attackers do not always need to steal credentials to create useful disruption. Sometimes, they only need to make the identity unreliable. That is especially true in environments where Linux servers and Windows identity infrastructure are already tightly connected. What Linux Teams Should Check After Patching Linux teams running RHEL 8 should apply the krb5 update through normal security patching, then confirm that dependent services are restarted where needed. The update is rated Important in the feed, and the package sits close enough to authentication that it should not be pushed behind lower-risk maintenance. Admins should also check where Kerberos is actually used. In many environments, that list is longer than expected. Start with Linux systems joined to Active Directory. Review hosts using SSSD , PAM , Samba, LDAP integrations, GSSAPI-enabled applications, and services that depend on Kerberos-backed access. Pay special attention to file servers, administrative jump hosts, internal applications, and systems that support privileged workflows. CI/CD and automation systems are worth checking, too. If they rely on Kerberos-backed access to internal resources, authentication instability can affect builds, deployments, and operational tooling. After patching, monitor authentication logs for unusual failures, repeated crashes, or service restarts. A quiet patch is ideal. A noisy authentication layer usually means something else needs attention. What This Says About Linux and Windows Identity Risk This advisory is a useful reminder that Linux and Windows security are not separate in most enterprise networks. A Linux server may authenticateagainst Active Directory. A Windows user may access a Linux-hosted application. A Linux file server may depend on Kerberos tickets. A security team may need logs from both sides to understand what happened during an incident. The trust layer is shared, even when the operating systems are different. That is why krb5 updates matter. They are not always flashy, and they do not always point to immediate compromise. But they touch the systems that decide whether users, services, and administrators can access what they need. For Linux administrators, the takeaway is simple: authentication infrastructure belongs near the top of the patching queue. Not because every flaw is catastrophic, but because the systems behind login, identity, and service trust are too important to leave exposed. Bottom Line: Patch Authentication Before Trust Breaks The Red Hat krb5 update is not a dramatic vulnerability story. There is no confirmed domain takeover, no stolen credentials campaign, and no Linux privilege escalation chain in the advisory details provided. It still belongs on the radar. Kerberos is one of the places where Linux and Windows security meet. In enterprise environments, that overlap supports login flows, file access, service authentication, and administrative control. When krb5 is affected, the concern is not only the Linux package. It is the identity infrastructure behind it. That is what makes this update worth watching. Linux security is not only about patching exposed services or hardening the kernel. It is also about protecting the authentication paths that connect systems, users, and trust across the network. Stay Ahead of Linux Security & Authentication Risks Interested in more in-depth coverage of Linux security, enterprise authentication, Red Hat security updates, Kerberos risk, Active Directory integration, and infrastructure hardening strategies? Subscribe to the LinuxSecurity newsletter for weekly threat analysis, advisory coverage, and practical guidance for securing Linuxand open-source environments. Related Reading Red Hat Enterprise Linux 8.6 Security Update for Kerberos RedHat: RHSA-2022-8637:01 Important: krb5 security update Critical Linux-PAM Vulnerability Exposes Servers to Local Privilege Escalation RHEL 9.4 Security Enhancements: SELinux, Cryptography, More Comprehensive Linux Security Tools and Hardening Best Practices 2026 . Kerberos sits within the authentication layer that many enterprises use to connect Linux systems, Wi. released, important, security, update, enterprise, linux, address. . MaK Ulac

Calendar%202 May 14, 2026 User Avatar MaK Ulac
102

Linux Systems Running Wireshark May Be Exposed to Remote Attacks

Wireshark is one of those tools Linux teams quietly depend on everywhere: SOC pipelines, packet capture nodes, incident response systems, and long-running forensic environments. That’s what makes the newly disclosed vulnerabilities in Wireshark 4.6.5 more serious than a routine software update. . The release fixes more than 40 security flaws, including remote code execution (RCE), denial-of-service conditions, infinite loops, and decompression bugs affecting multiple protocol dissectors. For Linux administrators running Wireshark or tshark in production analysis environments, delaying this patch creates unnecessary exposure on systems that often already have elevated network visibility and capture permissions. What Happens When Systems Get Exploited? The immediate problem isn’t just that Wireshark crashes. Wireshark sits deep inside monitoring and triage workflows. When dissectors lock up, crash, or start chewing through CPU cycles, analysts lose visibility exactly when traffic volume or investigation pressure is already high. Some of the flaws trigger infinite parsing loops that never fully resolve malformed packets. Others corrupt memory hard enough to kill the process outright. On standalone analyst workstations, that usually means lost sessions and delayed inspection. Inside larger capture environments, though, the impact spreads further. Queues back up, packet drops increase, forensic timelines get gaps, and automated alerting pipelines start operating on incomplete data. The remote code execution cases are the more dangerous category because they shift the risk model entirely. A packet analysis system is normally treated as trusted infrastructure. It ingests internal traffic, sees sensitive protocols, and often has broad network access for visibility purposes. If malformed traffic can compromise that system directly, the monitoring layer itself becomes another pivot point inside the environment. That changes containment priorities fast. A compromised capture node is no longerjust blind. It can potentially be used for lateral movement, traffic manipulation, credential collection, or staging follow-on attacks against systems that assume the sensor is trustworthy. In environments handling enterprise telemetry or incident response data, that’s a serious escalation path even if the original exploit starts with something as small as a crafted packet stream. Why This Matters for Linux Systems In most enterprise setups, these tools don’t sit on laptops. They run on Linux boxes tied into pipelines, feeding SIEMs, enriching alerts, sometimes running unattended for days. That changes the blast radius. A crash is annoying. An infinite loop quietly eating CPU across a capture node is worse. And Remote code execution (RCE) on a box that already has visibility into network traffic, often running with elevated capture permissions, that’s where it stops being a tooling issue and starts looking like lateral movement prep. What Are the Risks? The issues cluster into a few buckets. Different failure modes, same entry point, packet parsing under load, or malformed input. 1. Remote Code Execution (RCE) This is the part that matters most, even if it’s not the majority of bugs. A few key components handle complex protocol logic, and that’s where things tend to break in ways that aren’t just crashes. Affected components include TLS Dissector ( CVE-2026-5402 ), SBC Codec ( CVE-2026-5403 ), RDP Dissector ( CVE-2026-5405 ), and Profile Import ( CVE-2026-5656 ). These aren’t edge protocols either, they show up in normal traffic, which makes filtering your way out of risk unrealistic once capture is already happening at scale. 2. Denial of Service (DoS) and System Hangs Most of the issues fall into this category. Not about taking over the system, more about making the tool stop working the way it should. In simple terms, this is a denial of service. Wireshark either crashes and stops, or it keeps running but gets stuck processing a packet and never completes it,so it can’t move on to the rest of the traffic. Dissector crashes affect more than 20 protocols, including Monero, ICMPv6, HTTP, and MySQL (CVE-2026-5299 through CVE-2026-6870). When this happens, the capture process can exit without warning, leaving gaps in data or incomplete analysis. The loop issues behave differently. Protocols like SMB2 and OpenFlow (CVE-2026-5407, CVE-2026-6521) can trap the process in a cycle where it keeps using CPU but doesn’t produce results, which slows everything down and, over time, can block other analysis tasks that depend on it. 3. Core Engine Decompression Flaws This sits a bit lower in the stack, but it cuts across multiple protocols. Compression handling tends to be reused, so one flaw propagates further than expected. zlib and LZ77 issues (CVE-2026-6535, CVE-2026-6533) can corrupt decompression flows and break parsing in ways that aren’t always obvious in logs, sometimes showing up as partial decodes, sometimes as full pipeline failures, depending on how the data flows through the dissector chain. Overview of Affected Components The spread is broad, not concentrated in one module. Critical protocols like TLS, RDP, SBC, and profile import paths tie to code execution paths (CVE-2026-5402, 5403, 5405, 5656), while looping issues show up in SMB2, TLS, MBIM, and OpenFlow (CVE-2026-5407, 6528, 6519, 6521). At the same time, more than 20 dissectors carry crash-level bugs (CVE-2026-5299 through CVE-2026-6870), and the decompression layer underneath, via zlib and LZ77 (CVE-2026-6535, CVE-2026-6533), adds another failure path that doesn’t care which protocol triggered it, only that compressed data passed through. The Role of AI in Security Research The Wireshark team pointed out that AI-assisted reporting helped surface many of these issues. That tracks with what we’re seeing elsewhere, wide sweeps across similar code paths instead of one-off bug hunting. It speeds up discovery, but it also changes expectations. When entire classesof parsing logic get scanned together, you don’t just fix a bug, you uncover families of them, which is likely why this release looks dense rather than incremental. Practical Remediation Steps for Linux Administrators Start with version verification . It sounds basic, but older nodes tend to linger in capture pipelines longer than expected. Run wireshark --version and confirm where you stand. Then update using your package manager, apt for Debian or Ubuntu, dnf for RHEL, CentOS, or Fedora, keeping it targeted so you’re not pulling unrelated upgrades into sensitive environments unless planned. Privilege handling is the next pressure point. Running Wireshark as root is still common in rushed setups, but it widens the outcome of any successful exploit. Use the Wireshark group instead with usermod -aG wireshark $USER and apply it with newgrp wireshark , which doesn’t remove risk but trims impact. Finally, keep an eye on capture pipelines. Not everything fails loudly. Infinite loops and partial crashes can quietly degrade visibility, and in a SOC context, that’s often worse than a hard failure because nothing alerts you until gaps show up somewhere downstream. If you’re tracking issues like this, Linux security newsletters are a great way to keep them on your radar. . The release fixes over 40 security flaws including RCE, DoS, and packet parsing issues in Wireshark for Linux systems.. Wireshark Remote Code Execution Linux Patch. . MaK Ulac

Calendar%202 May 06, 2026 User Avatar MaK Ulac
102

Apache HTTP Server 2.4.64 security patch: major threats resolved and risks

Apache HTTP Server 2.4.64 is here, and it’s carrying quite a load of security fixes that Linux admins absolutely need to pay attention to. Whether your Apache deployment is running simple HTTP workloads or juggling SSL/TLS-heavy configurations, let’s be clear—if you're on anything between 2.4.0 and 2.4.63, your system just got a target painted on it. . This article isn’t about convincing you to upgrade. It’s about understanding why not upgrading isn’t really an option. There’s a reason 2.4.64 is making waves: some of the vulnerabilities fixed in this release carry serious implications, spanning everything from denial-of-service (DoS) attacks to session hijacking and beyond. If you’re responsible for production web servers, read on. We'll cover what’s lurking in previous versions, who’s at risk, and how to tighten your configuration for maximum security in the face of these threats. Why Does This Release Matter? Let’s jump directly into why Apache HTTP Server 2.4.64 should matter to anyone running Linux-based servers. The update is tackling vulnerabilities that have persisted across various configurations—HTTP/2, mod_ssl, mod_proxy, header manipulation—the list goes on. It’s not just one bad bug; it’s a collection of exploits that, if left unpatched, give attackers tools for information disclosure, unauthorized access, session hijacking, and even proxy abuse. Take CVE-2024-42516 , for example—HTTP response splitting flaws have plagued web servers for years. Attackers who can control headers like Content-Type might manipulate HTTP responses, inject malicious code into your web pages, or poison your cache. Now, imagine this mixed with web applications that rely too heavily on dynamic headers. It’s an injection attack waiting to happen. And then there’s CVE-2025-53020 , where HTTP/2 processing mishandles memory management. Anyone running HTTP/2 workloads could see their server go down under the weight of a DoS attack. This isn't an obscure side case—itaffects Apache versions as far back as 2.4.17. But those are just two examples. Vulnerabilities related to Server-Side Request Forgery (SSRF), TLS session resumption, unescaped SSL error logs—you name it, 2.4.64 patched it. If you’re still lingering on 2.4.63 (or earlier), understand this: these flaws don’t stay theoretical for long. Exploits evolve fast, and real-world attackers don’t care if you’ve been busy balancing VM migrations or troubleshooting Kubernetes deployments. Understanding The Specific Risks: Who's in the Crosshairs? The severity of these vulnerabilities depends heavily upon your Apache configuration. Some setups are more exposed than others: mod_ssl-heavy deployments: If your server relies on SSL for critical workloads, CVE-2025-23048 and CVE-2024-47252 hit close to home. Poor logging practices or misconfigured TLS options can open doors to attackers manipulating error logs or bypassing virtual host access controls. HTTP/2 users: Servers running HTTP/2 backends are particularly susceptible to memory-related abuse ( CVE-2025-53020 ) and assertion failures ( CVE-2025-49630 ). Both vulnerabilities translate directly into DoS risks. Windows-based Apache setups: Windows admins, especially those using mod_rewrite or mod_headers with UNC paths, are staring down CVE-2024-43394 —a clever SSRF exploit with NTLM authentication leaks. Yes, this is a Linux-centric article, but mixed environments are increasingly common, and someone on your team is likely babysitting Apache on Windows. They need this update, too. Proxy configurations: Misuses of mod_proxy (e.g., interactions with mod_headers, ProxyPreserveHost settings) amplify potential risks tied to outbound traffic and desynchronization attacks. And let’s be honest. Default configurations are rarely ideal, especially when managing directives like SSLEngine optional, which the Apache team outright deprecated for security reasons this time around. If your setup hasn’t been revised in a while,you could inadvertently amplify your server’s exposure. What Happens If You Don’t Update? Let’s talk consequences. Here’s a snapshot of what happens if you skip or delay upgrading to 2.4.64: Denial of Service (DoS) Improper handling of HTTP/2 traffic or proxy modules could choke server resources. Imagine your infrastructure grinding to a halt just because someone dumped deliberately malformed requests into your pipeline. Sensitive Data Exposure Vulnerabilities like unescaped data in SSL logs (CVE-2024-47252) can deliver error log entries into the hands of malicious actors. Combine this with access control bypass issues (CVE-2025-23048), and your server might unintentionally hand out details about backend systems or client certificates. Exploitation of Business Logic Attackers leveraging response-splitting flaws (CVE-2024-42516) could hijack session tokens or execute JavaScript payloads to compromise web applications and backend systems. The cascade effect damages more than just your server; it hurts your users and business reputation. The point is, failing to upgrade doesn’t just weaken your server. It makes you an active participant in enabling attacks, whether it's by becoming part of an aggressive botnet or inadvertently leaking session-level credentials. Practical Steps to Secure Your Apache Deployment Alright, now that we’ve established the stakes, here’s what admins should do to stay ahead of threats: Upgrade First, Audit After: Move to version 2.4.64 as soon as possible, then evaluate your configuration. Look at directives like ProxyPreserveHost, wildcard SSL certificate usage, and obscure legacy settings that might conflict with updated security practices. Prioritize SSLStrictSNIVHostCheck: This is a critical directive for setups with multiple virtual hosts. Enabling it ensures trusted certificates never bleed between domains. If you’re unsure whether this applies to your hosts, test it manually—this isn’t the time for guesswork. Eliminate Vulnerable Features: The Apache team highlighted inherent risks with SSLEngine optional settings. If you use legacy TLS configurations, it’s time to cut them loose entirely rather than relying on half-patched solutions. Harden Proxy Configurations: If your workloads involve mod_proxy, restrict access to only required endpoints. Test SSRF-resilience by probing setups with direct outbound requests, especially on larger multi-domain deployments. Monitor Logs and Alerts: Vulnerabilities patched in mod_ssl and error log escaping remind us how valuable robust monitoring systems are. Tools like tail, regex, or centralized logging solutions should flag anomalies before attackers can exploit them further. Wrapping It All Up: What Makes Updating to Apache HTTP Server 2.4.64 So Critical? Apache HTTP Server 2.4.64 isn’t just another step in the ongoing march of updates; it’s a release that deserves immediate attention from Linux admins and security professionals alike. With eight CVEs addressed—including vulnerabilities that span HTTP response handling, proxy configurations, and memory management—the risks for unpatched servers are anything but trivial. The complexities of modern infrastructure demand proactive attention to security. Whether you’re responsible for a single VM or a sprawling hosting ecosystem, failing to act on this update is a gamble with stakes far too high. Review your configurations, upgrade promptly, and build a habit of monitoring LinuxSecurity advisories —you’re not just maintaining servers; you’re defending everything they stand for. Remember, as an admin, you’re the linchpin for keeping systems functional and secure. Make this patch a top priority! . Learn the critical reasons why upgrading Apache HTTP Server 2.4.64 is essential for Linux admins facing multiple risks.. apache, server, carrying, quite, security, fixes, linux. . Brittany Day

Calendar%202 Jul 12, 2025 User Avatar Brittany Day
102

Intel: CVE-2023-23583 Critical Update For Reptar Privilege Escalation

It was discovered that a sequence of processor instructions for some Intel processors leads to unexpected behavior that could allow an authenticated local user to escalate privileges ( CVE-2023-23583 ). This bug, dubbed "Reptar," could expose sensitive information or cause system crashes, resulting in denial of service attacks leading to loss of system access. . More recently, another Intel Microcode privilege escalation flaw was discovered. Researchers identified that a sequence of processor instructions leads to unexpected behavior for some Intel(R) Processors that may allow an authenticated user to escalate privileges ( CVE-2023-23583 ). This vulnerability also severely threatens impacted users’ sensitive data and system availability. What Is Google's Analysis of Reptar? According to Google Cloud, "The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash, resulting in a Denial of Service to other guest machines running on the same host. The vulnerability could also lead to information disclosure or privilege escalation." Google security researcher Tavis Normandy also analyzed Reptar and concluded that the flaw could be exploited to corrupt the system state and force a machine-check exception. What Can I Do To Stay Safe? An important Intel Microcode update has been released to mitigate this severe bug. Given this vulnerability's damaging repercussions on impacted systems, we urge all affected users to update now to protect against information disclosure and loss of access to their critical systems if left unpatched. Debian , Debian LTS Fedora , Oracle , and Ubuntu have released important security advisory updates addressing Reptar. To stay on top of essential updates released by the open-source programs and applications you use, register as a LinuxSecurity user , subscribe to our Linux Advisory Watch newsletter, and customize youradvisories for your distro(s). This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems. Follow @LS_Advisories on X for real-time updates on advisories for your distro(s) . . AMD has rolled out recent firmware enhancements targeting critical security vulnerabilities. Ensure you upgrade promptly to safeguard your information from potential breaches.. Intel Microcode Update, Privilege Escalation, Denial of Service, Security Advisory. . Brittany Day

Calendar%202 Dec 31, 2023 User Avatar Brittany Day
102

Chromium: High-Risk DoS and Info Disclosure Security Advisory

Several high-impact, remotely exploitable cybersecurity vulnerabilities were recently discovered in the popular Chromium free and open-source web browser. These network security issues could lead to the execution of arbitrary code, Denial of Service (DoS) attacks resulting in potentially exploitable crashes, or the disclosure of sensitive information. . Luckily, important Chromium security updates can fix these bugs and are now available. This article will cover these dangerous exploits in cybersecurity recently identified in Chromium and how users can update their systems to protect against these risks. The Discovery & The Impact The most severe data and network security threats recently discovered and patched in Chromium include: CVE-2023-1810: Heap buffer overflow in Visuals in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2023-1811: Use after free in Frames in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2023-1812: Out-of-bounds memory access in DOM Bindings in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform out-of-bounds memory access via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1813: Inappropriate implementation of Extensions in Google Chrome prior to 112.0.5615.49 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to bypass download checking via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1815: Use after free in Networking APIs in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1816: Incorrect security UI in Picture In Picture in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially perform navigation spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1817: Insufficient policy enforcement in Intents in Google Chrome on Android prior to 1 12.0.5615.49 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1818: Use after free in Vulkan in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1819: Out-of-bounds read in Accessibility in Google Chrome prior to 112.0.5615.49 allowed a remote attacker to perform an out-of-bounds memory read via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-1820: Heap buffer overflow in Browser History in Google Chrome prior to 112.0.5615.49 allowed a remote attacker who convinced a user to engage in specific UI interaction to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2023-2033: Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Many of the cybersecurity vulnerabilities have been rated by the National Vulnerability Database as having a critical or high severity. These network security issues have a high impact on confidentiality, integrity, and availability. How Can I Secure My System Against These Critical Bugs? Chromium has released an important security update mitigatingthese network security issues. We strongly recommend that all impacted users apply the Chromium updates issued by their distro(s) as soon as possible to protect against exploits in network security leading to downtime, system compromise, and sensitive data loss. To see if your distro has issued an advisory for these Chromium cybersecurity vulnerabilities and to stay on top of important updates released by the open-source programs and applications you use, be sure to register as a LinuxSecurity user , then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use. This will enable you to stay up-to-date on the latest, most significant network security threats impacting your systems. We also encourage you to follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s) . Linux security expert and LinuxSecurity.com Founder Dave Wreski concludes, “It is crucial that all admins and organizations track security advisories diligently and apply patches as soon as they are released in order to stay ahead of attackers looking to exploit vulnerabilities to gain access to critical systems and confidential information.” . Important Chromium security updates can fix high-impact vulnerabilities. Apply patches to secure your systems promptly.. high-impact, remotely, exploitable, cybersecurity, vulnerabilities, recently. . Brittany Day

Calendar%202 Apr 21, 2023 User Avatar Brittany Day
102

Understanding Fork Bombing Attacks: Mechanisms And Prevention

Thanks to Anand Jahagirdar for this feature! As the variety of attacks and threats grow, you need to be prepared. In this HOWTO, get a feeling for the Fork Bombing Attack, what it is, how it works, where it comes from, how to deal with it and more. . Fork Bombing: Eckie S. Fork bombing means invoking fork system call infinite times by one or more processes. It is also defined as Spawning nearly infinite processes by one or more user processes. E.g. Simple C Loop *: - while (1) fork (); It spawns infinite processes which in turn lead to fork bombing. Fork bombing attack is usually done by a non root user. For example, a non root user, as an attacker, sends infinite requests to the server for denial of service. Another example of fork bombing attack is a simple loop *: - main () {fork() main () ;} In this case main function calls itself recursively. This loop can make the system crawl. (* warning: - execute both the loop at your own risk). It . Fork Bombing: Eckie S. Fork bombing means invoking fork system call infinite times by one or more pr. thanks, anand, jahagirdar, feature, variety, attacks, threats. . Anthony Pell

Calendar%202 Jun 08, 2010 User Avatar Anthony Pell
102

2004 Security Overview: Kernel Flaws And User Awareness

In 2004, security continued to be a major concern. The beginning of the year was plagued with several kernel flaws and Linux vendor advisories continue to be released at an ever-increasing rate. This year, we have seen the reports touting Window's security superiority, only to be debunked by other security experts immediately after release. Also, Guardian Digital launched the new LinuxSecurity.com, users continue to be targeted by automated attacks, and the need for security awareness and education continues to rise. . Kernel Issues 2004 started off on shaky ground with a , a piece of kernel code that controls virtual memory. It affected versions 2.2, 2.4, and 2.6. It was later discovered that the same vulnerability was used to exploit several high-profile Linux development sites in November 2003. Patches were released in early January by each of the major distributions. The flaw was fixed in further kernel releases. In February, a second mremap vulnerability was discovered by the Polish security consulting firm ISec. The was unrelated, but just as serious as the first. In theory, it could result in a denial of service or privilege escalation to root. Vendors responded much more quickly in this second instance. Fixes for 2.4 and 2.6 were released only in a matter of hours this second time. In March, Paul Starzetz of ISec released proof-of-concept exploit code for the second mremap flaw that was released in February. Several news sites failed to accurately read the report released in March and reported that a third kernel flaw as found. This was wrong, but it sparked a lot . Many were relieved to find out that the "third vulnerability" was in fact a misinterpretation. It was beginning to look like the "year of the kernel flaw," but luckily things quieted down in second quarter. The remaining portion of the year was scattered with other kernel vulnerabilities, but non received as much press as mremap. Anothernotable one was discovered in 2.6 last October. It was claimed that the vulnerability could be used to shut down 2.6-based systems remotely. It only affected those systems using iptables based firewalls, because the flaw had to do with the way 2.6 handled firewall logging. Patches were released and the problem was resolved. The volume of press generated by kernel vulnerabilities is ever increasing. With the growing number of a major enterprises adopting Linux as an operational component, trade magazines are dedicating a greater percentage of their editorial scope to it. From a journalist's perspective, flaws in the kernel make great news items. It invokes fear, causing people to pay attention. While news of the mremap vulnerability may not sway the opinion of you or me, it has great potential to make a CIO reluctant to adopt that long-term Linux project all of his techs have been begging for. This year though, the Linux community has stepped up, fixed its problems, and walked away with a lot of class. Instead of headlines reading, "Is Linux Ready for the Enterprise?," journalist were writing pieces about the efficiency of open source leading to a quick resolution. Rather than criticizing Linux because of its flaws, it was praised because of its ability to work through issues. Finally, people were starting to realize that large proprietary software companies often deny that vulnerabilities exist and sneak in security patches during upgrades. Linux is about openness and full-disclosure, a great benefit to all of its users. Linux Vulnerabilities The flip-side is that full-disclosure can be very overwhelming. For example, 35 Linux vendor security advisories were released last week alone. One can easily see this by taking a few minutes to walk through our Linux security advisory archive . Roughly 35 advisories a week for an entire year is 1,820. When other proprietary operating system vendors release a much smallnumber of advisories per year, people make quick and inaccurate conclusions. For example, suppose Microsoft released 50 advisories, and Linux vendors released 2000 in a given time period. 50 is less than 2000; therefore Windows must be more secure. Of course it is flawed logic, but in previous years people believed such numbers. Often, people failed to realized that Linux advisories are released for each individual package, for each distribution, and in many cases for very minor theoretical problems. In previous years, the full picture was not taken into account. Now, the public as well as many journalist are starting to realize that severity of vulnerability is also an important factor. Rather than the discovery of a vulnerability considered another failure for Linux, it is now seen as a success by many because it is one less unknown flaw. This year particularly, I have seen a shift in the IT community's way of thinking. Rather than ignoring vulnerabilities until they're a much bigger problem, much more emphasis is being placed on proactive resolution. In my opinion this is a major step in the right direction. Conflicting Reports While the question of Linux security vs.Windows security has always been around, 2004 has been plagued with groups of analysts, independent researchers, and analyst trying to authoritatively answer that question. British based the "most breached" OS, while Linux security experts considered the findings false because the virus/worm threat was not factored into their analysis. Windows advocates claim that Windows systems are breached more because they are a much more attractive target, Linux administrators claim that Windows systems are compromised more because they're impossible to secure. It has been a year of dueling reports. One month "Linux is less secure," the next, "." In the midst of all the swirling FUD, some truth did come out. Security depends on the administrator .Although I strongly believe that Linux has the potential to be more secure, I won't claim that it always is. The security of any system depends greatly on it's administrator. Lazy operating practices lead to stupid mistakes that can be exploited. Although high-profile vulnerabilities exist, many are only theoretical, or exploit code is not widespread. A significant number of compromises are still caused by poor configuration practices, or majorly outdated software. A proactive administrator greatly reduces the likelihood of major compromise regardless of the operating system. However, an open source operating system such as Linux provides an unmatched level of flexibility that allows a willing administrator to secure a system to any level he/she desires. Major Announcements One of the more interesting announcements in 2004 was the Mozilla Foundation offering a $500 bounty to those who discover bugs in its software. As I wrote previously, proactive measures are becoming common practice, not just a vague concept in an information security professional's dreamland. Other projects such as ethereal and several other open source projects announced updates to vulnerabilities found during a code audits. I see this as great progress. Like clockwork, SANS/FBI released its Top-20 vulnerability list. Some of the most significant Unix vulnerabilities outlined include BIND, webservers, authentication, version control systems, SNMP, SSL, misconfigured services, databases, and the kernel. ( SANS/FBI Top-20 ) The projects that we've been working on at Guardian Digital are close to my heart. 2004 has been a record year in many ways. We've announced the release of two new monthly newsletters, released new versions of EnGarde Secure Professional, the Intrusion Detection and Defense System, Secure Mail Suite, proactively protected customers from Linux kernel flaws, created and announced a worldwide partner division,continued to increase our customer base, and create a program to help companies address Sarbanes Oxley compliance. In the past month, Guardian Digital's major announcement has been the launch of the new LinuxSecurity.com . We updated the site to include all the old features many have grown to depend on while adding additional ones to better serve our readership. From a completely operational perspective this includes implementing an open source content management system, upgrading servers, as well as increasing bandwidth capacity. It has been an amazing year for us at Guardian Digital. Without your support, none of this would be possible. Security Overview 2004 has been a year of increased statistics. As predicted, security attacks are on the rise, the volume of spam has increased, viruses/worms continue to increase in severity, and security continues to grow as a concern. In the corporate world, this is mostly due to Sarbanes-Oxley . Because there are now strict penalties for negligence, executive management in most corporations are starting to get the picture and call for drastic improvements in security. From a home-user's perspective security is also playing a larger role. Windows users are adopting 'personal firewalls' at an increased rate, and others are getting disgusted by a continuously hijacked browser and increasing number of spyware applications. This constant nuisance has lead many to look for alternatives, which has fueled greater interest in Linux and Firefox. Although 2004 has been an active year in security, it has not been revolutionary. From a technological perspective the year has been semi-quiet. This past year, many have focused on improving the process of security, rather than looking for a magic bullet. Again, I think this is a sign of InfoSec's growing maturity. However, in my opinion it is mostly due to the fact that most have been working on a tightly constrained budget. Whilethere have been reports suggesting several terrorist organizations have been taking a much closer look into information security, viruses continue to run rampant in the Windows world, and DDoS attacks continue to be a major problem, I have not lost all confidence in the IT industry's ability to improve overall security. In my opinion, the single most significant factor holding back progress is user education. While companies can implement security awareness and training programs, the average home user does not stand a chance. New hacks and scams are invented each day. Unless a user is proactively aware, sooner or later they will be fooled. Although phishing attacks have existed for quite some time, they have become mainstream in 2004. I'm not sure a day goes by when I don't receive at least one email asking me to 'verify my PayPal information' or 'reactivate my Ebay account.' Although I have not fallen for any of these scams, countless others have. It is just another form of social engineering that is difficult to solve (if not impossible) purely with technology. User knowledge is as important as ever. Concluding Remarks In the Linux community, security continues to be a major concern and priority. Security is now viewed as a differentiator rather than a nuisance. While distributions like EnGarde Secure Linux, Trustix, and others have taken security seriously from the beginning, others such as Red Hat and Gentoo are looking to make SELinux an integral part of its structure. Implementation of security may differ between distributions, but everyone's goal is the same. Some users prefer greater security, other prefer ease of use. It is up to you to find the distribution which best fits your needs and goals. Also, it is important to stay informed and make implementation changes whenever necessary. Security is a road to be traveled, not a destination. . In 2004, Linux faced significant kernel vulnerabilities,underscoring the necessity for heightened advisories and user education regarding potential security threats.. Kernel Flaws, Security Awareness, Vendor Advisories, User Education, Linux Risks. . Benjamin D. Thomas

Calendar%202 Dec 23, 2004 User Avatar Benjamin D. Thomas
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is application sandboxing truly safe?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/155-is-application-sandboxing-truly-safe?task=poll.vote&format=json
155
radio
0
[{"id":500,"title":"Malware still escapes container walls.","votes":0,"type":"x","order":1,"pct":0,"resources":[]},{"id":501,"title":"Supply chains corrupt trusted packages.","votes":0,"type":"x","order":2,"pct":0,"resources":[]},{"id":502,"title":"Convenience consistently compromises strict security.","votes":1,"type":"x","order":3,"pct":100,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200