2026-07-05
Roundcube has released versions 1.7.2 and 1.6.17, delivering critical security patches for the widely deployed self-hosted webmail client. The update resolves multiple high-severity vulnerabilities, including a zero-click stored XSS flaw, an SSRF bypass, and several password plugin misconfigurations involving session-injected usernames. Findings from independent researchers and Samsung R&D highlight the increasingly active threat landscape surrounding the PHP-based IMAP bridge, prompting the team to recommend an immediate production rollout. Administrators are advised to back up their data and follow the official upgrade guide to mitigate risks before the next targeted exploit window closes.
Shelly-ALPM 2.4.1.1 has arrived, adding JSON output support for CLI commands, a new visual dependency graph called Starfish, and direct install links from the Flathub website. Built directly on libalpm rather than wrapping pacman, the project now runs on a mix of Zig and C# to bypass shell process overhead and deliver faster search results. The release follows CachyOS officially adopting Shelly as its default package manager in April 2026, signaling the tool's transition from niche experiment to production-ready standard. Arch users can now update via the AUR or build from source to take advantage of the new scripting capabilities, improved AUR filtering, and a rebuilt Vala-based tray service.
Security teams across major distributions including RHEL, Ubuntu, Debian, Fedora, and SUSE released a massive wave of patches this week targeting critical flaws in the Linux kernel, web stacks, and databases. The updates address dangerous vulnerabilities such as buffer overflows in PHP 8.2 and 8.4, arbitrary code execution in ImageMagick, and SQL injection in Sogo, with several advisories officially rated as critical. While Slackware kept the patch count lean with just three fixes, the broader ecosystem is pushing routine maintenance for container runtimes like Podman and runc alongside database engines like MariaDB and PostgreSQL. Administrators should prioritize applying kernel and glibc updates immediately, as these core components underpin most of the affected services across all distributions.
GOverlay 1.8.5 has arrived, bringing a complete rewrite of its OptiScaler DLL management to eliminate GitHub API slowdowns and prevent config corruption. The update introduces automated CI builds, a bleeding-edge channel for testing the latest git code, and an OBS_VKCAPTURE toggle tailored for Linux streamers. Built entirely in Free Pascal, the project continues to deliver a reliable, static binary that wraps MangoHud, vkBasalt, and upscaling tools into one interface. While the Flatpak sandbox does restrict host tools like GameMode, GOverlay remains a widely distributed staple for Linux gaming configuration.
XanMod maintainer Alexandre Frade has released Linux 7.1.3-xanmod1 and Linux 6.18.38-xanmod1, tracking the upstream point releases dropped on July 4, 2026. Both builds inherit all upstream stability and security patches while adding XanMod's performance enhancements, including LLVM ThinLTO compilation, sched_ext support, and Google's multigenerational LRU framework. The update offers users the choice between the mainline 7.1.x series or the 6.18 LTS branch, the latter of which features a dedicated real-time build for latency-sensitive workloads and is available via the official APT repository for Debian-based distributions. Third-party optimizations such as AMD's 3D V-Cache driver, Cloudflare's TCP collapse, and BBRv3 congestion control round out the release, alongside targeted fixes for ksmbd, apparmor, and various WiFi drivers.
The Linux kernel stable team shipped fresh point releases across all active longterm branches on July 4, capping at Linux 6.18.38. The update focuses heavily on stability and security, closing out-of-bounds reads in ksmbd, fixing TCP-AO use-after-free paths, and hardening the NFS server against silent data loss during deferred writeback errors. Meanwhile, the 5.10 and 5.15 trees are counting down to their December end-of-life deadline, pushing embedded and enterprise vendors to finalize migration plans for the 6.1 or 6.6 branches.
Greg Kroah-Hartman signed off on Linux Kernel 7.1.3 on Saturday, July 4, 2026, delivering a stable patch release just twenty-one days after the v7.1 feature drop. The update focuses heavily on memory safety, addressing a critical ksmbd out-of-bounds heap read, a KVM AMD SEV page overflow, and a Hyper-V nested virtualization bounds check failure. Production environments will appreciate the fixes for the NFS server subsystem, which saw roughly a dozen commits clearing up ACL leaks and state management races, alongside a crucial resolution for a MIPS PREEMPT_RT reboot hang that was stalling OpenWrt router upgrades. You can grab the tarball from kernel.org and verify it against Greg's PGP signature before running the standard build sequence or waiting for your distribution to push the update.
SUSE released a batch of security advisories for openSUSE Leap 16.0 that address multiple vulnerabilities across keybase-client, python-pydata-sphinx-theme, glibc, rmt-server, and systemd. Four of these patches carry an important rating due to CVE-2026-46604, CVE-2026-13676, CVE-2026-42256, and related issues, while the glibc update carries a moderate rating for two additional flaws. Administrators should apply these updates quickly to resolve out-of-bounds memory writes, hostname canonicalization bypasses, denial of service flaws, and uninitialized memory disclosure bugs.
openSUSE-SU-2026:21230-1: important: Security update for keybase-client
openSUSE-SU-2026:21231-1: important: Security update for python-pydata-sphinx-theme
openSUSE-SU-2026:21228-1: moderate: Security update for glibc
openSUSE-SU-2026:21225-1: important: Security update for rmt-server
openSUSE-SU-2026:21222-1: important: Security update for systemd
he Slackware Linux Security Team issued three new package updates to address active vulnerabilities in libevent, Mozilla Thunderbird, and libseccomp. Administrators running Slackware 15.0 or the -current branch can download the patched files for both i586 and x86_64 architectures from the official FTP mirror. The libseccomp update specifically repairs memory corruption and filter weakening bugs, while the other two releases contain broader security patches for affected system modules.
libevent (SSA:2026-182-01)
mozilla-thunderbird (SSA:2026-182-02)
libseccomp (SSA:2026-183-01)
Rocky Linux 8 administrators can install new security errata covering rrdtool, Thunderbird, PHP 7.4, container-tools, Ruby 2.5 and 3.3, and MariaDB 10.11. Most advisories carry an Important severity rating, with the PHP 7.4 release addressing vulnerabilities across module.libzip, php-pear, and php-pecl-xdebug, while the container-tools update patches podman, buildah, and skopeo alongside bug fixes and enhancements. The Ruby updates resolve security issues in rubygem-abrt, rubygem-bundler, and rubygem-pg components, and the MariaDB advisory fixes flaws in Judy and galera packages.
RLSA-2026:34155: Moderate: rrdtool security update
RLSA-2026:33445: Important: thunderbird security update
RLSA-2026:34354: Important: php:7.4 security update
RLSA-2026:33722: Important: container-tools:rhel8 security, bug fix, and enhancement update
RLSA-2026:33514: Important: ruby:2.5 security update
RLSA-2026:33515: Important: ruby:3.3 security update
RLSA-2026:33464: Important: mariadb:10.11 security, bug fix, and enhancement update
Debian released security updates for php8.2 on Debian 12 and php8.4 on Debian 13 trixie to fix a buffer overflow in the openssl extension's AES Key Wrap with Padding implementation that causes memory corruption. A vulnerability in Sympa allows attackers to bypass authentication using arbitrary email addresses when the generic SSO login feature is enabled, while php-phpseclib on Debian 11 received patches for five issues including hostname validation bypasses, timing side-channels, denial of service, and server-side request forgery. Package versions 8.2.32-1deb12u1, 8.4.23-1deb13u1, 6.2.70~dfsg-2+deb12u1, and 2.0.30-2+deb11u3 resolve the flaws in their respective distributions. System administrators should upgrade php8.2, php8.4, sympa, and php-phpseclib packages immediately to secure their environments against these disclosed risks.
[DLA 4669-1] php8.2 security update
[DLA 4668-1] sympa security update
[DSA 6377-1] php8.4 security update
[DLA 4670-1] php-phpseclib security update
2026-07-04
Mutt 2.4.1 is the latest stable release for the 30-year-old terminal-based email client, and it's focused on stability fixes rather than new features. Upstream maintainer Kevin J. McCarthy addressed OpenSSL 4 compilation failures, restored Alt keybindings in the foot terminal, patched an empty command line argument crash, and closed a theoretical IMAP buffer overflow. This patch release follows the 2.4.0 feature drop, which introduced explicit thread controls, a configurable draft directory, and RFC-compliant S/MIME type updates.
Fresh evaluations cover the Edifier R2750DB MKII powered speakers and the Snapdragon-equipped HP OmniBook Ultra 14 laptop, both prioritizing wireless connectivity and premium construction. Intel quietly raised recommended pricing on three Arrow Lake Refresh processors by up to 17 percent, a shift caused by datacenter silicon demand and production constraints. Peripheral reviews feature the KTC H49S66 49-inch 5K2K gaming display, the 54-gram Pwnage Ultra Custom Pro Symm 3 mouse, and the Epomaker Glyph keyboard with retro styling and dual screens. Tom's Hardware also examines the Turtle Beach KP7, a versatile desktop controller that still requires manual firmware tweaks every time the system boots.
Audio: Edifier R2750DB MKII Powered Bookshelf Speakers Review
Computers: HP OmniBook Ultra 14 review: Potent Snapdragon performance, great endurance, premium pricing
CPUs: Intel Quietly Hikes Prices on Arrow Lake Refresh CPUs by Up to 17%
Displays: KTC H49S66 5K2K (5120x1440) 49-inch 180Hz Gaming Monitor Review
Input: Pwnage Ultra Custom Pro Symm 3 Review, Epomaker Glyph Review: Typewriter Vibes With Dual Display, Turtle Beach KP7 Review: The accessory that does everything
Canonical's Snap Store will undergo scheduled database maintenance from 22:00 UTC on Saturday, July 5, to 02:00 UTC on Sunday, July 6, 2026. During this four-hour window, users cannot install new snaps or update existing ones as api.snapcraft.io will reject all requests. Applications already installed on your system will continue to function normally, though any pending updates will stall until the service resumes. No user action is required; services will automatically resume after the maintenance closes, so you should complete any critical updates before the 22:00 UTC start.
GNOME 51.alpha, codenamed "A Coruña," has launched as the first unstable build in the development cycle leading to a stable desktop release on September 16, 2026. Building on the fully Wayland-only architecture of GNOME 50 Tokyo, this alpha focuses on refining fractional scaling, improving NVIDIA driver compatibility, and transitioning build dependencies from Autotools to Meson. The update ships 73 refreshed core modules, including performance and accessibility improvements in nautilus, a GListModel overhaul in gnome-calendar, and security hardening across evolution-data-server and glib-networking. While the stable version will roll out to distributions like Fedora and Ubuntu later in the year, developers can currently test the build via the official GNOME OS install image or unstable Flatpak runtimes.
Ubuntu released USN-8467-2 to patch two security flaws in Perl 5.40 for Ubuntu 25.10, addressing an Archive::Tar symlink handling bug and a 32-bit regex compilation memory overflow. USN-8496-2 rolls back a previous cifs-utils security patch across Ubuntu 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS after the original fix broke Kerberos-based network mounts. The initial update corrected a privilege escalation flaw that allowed local attackers to run code as root by mishandling user lookups before dropping administrative access.
[USN-8467-2] Perl vulnerabilities
[USN-8496-2] cifs-utils regression
SUSE distributed a batch of security updates targeting multiple packages across openSUSE and SUSE Linux Enterprise, ranging from moderate to important severity ratings. The important updates address vulnerabilities in widely used software including Apache2, Docker-stable, Pacemaker, Google OS Config Agent, the Jackson Java libraries, and the GStreamer plugins-bad component. Moderate security advisories cover dhcpcd, libslirp, FFmpeg 7, GraphicsMagick, jline3, lcms2, Python lxml, editorconfig-core-c, Buildah, and various kernel and tooling patches on GA media.
openSUSE-SU-2026:21220-1: moderate: Security update for dhcpcd
openSUSE-SU-2026:21216-1: moderate: Security update for libslirp
openSUSE-SU-2026:21211-1: moderate: Security update for ffmpeg-7
openSUSE-SU-2026:21207-1: moderate: Security update for GraphicsMagick
openSUSE-SU-2026:21210-1: important: Security update for google-osconfig-agent
openSUSE-SU-2026:21201-1: important: Security update for jackson-annotations, jackson-core, jackson-databind
openSUSE-SU-2026:21221-1: moderate: Security update for jline3
openSUSE-SU-2026:21204-1: important: Security update for gstreamer-plugins-bad
openSUSE-SU-2026:21196-1: important: Security update for pacemaker
openSUSE-SU-2026:21192-1: important: Security update for dnsmasq
openSUSE-SU-2026:21205-1: important: Security update for docker-stable
openSUSE-SU-2026:21218-1: important: Security update for perl-List-SomeUtils-XS
openSUSE-SU-2026:21202-1: moderate: Security update for lcms2
SUSE-SU-2026:2729-1: moderate: Security update for python-lxml
SUSE-SU-2026:2731-1: moderate: Security update for editorconfig-core-c
SUSE-SU-2026:2733-1: important: Security update for buildah
openSUSE-SU-2026:0228-1: moderate: Security update for nilfs-utils
SUSE-SU-2026:2735-1: important: Security update for apache2
openSUSE-SU-2026:11180-1: moderate: python311-mistune-3.3.2-1.1 on GA media
openSUSE-SU-2026:11176-1: moderate: kitty-0.47.4-2.1 on GA media
openSUSE-SU-2026:11179-1: moderate: perl-List-SomeUtils-XS-0.590.0-1.1 on GA media
openSUSE-SU-2026:11175-1: moderate: kernel-devel-7.1.2-1.1 on GA media
openSUSE-SU-2026:11178-1: moderate: openQA-5.1782995932.ffeb09be-1.1 on GA media
openSUSE-SU-2026:11177-1: moderate: krb5-1.22.2-4.1 on GA media
SUSE-SU-2026:2743-1: important: Security update for gstreamer-plugins-bad
SUSE-SU-2026:2744-1: important: Security update for gstreamer-plugins-bad
SUSE-SU-2026:2745-1: moderate: Security update for firewalld-legacy
SUSE-SU-2026:2742-1: important: Security update for pacemaker
SUSE-SU-2026:2751-1: moderate: Security update for tracker-miners
SUSE-SU-2026:2749-1: important: Security update for perl-DBI
Red Hat has made Streams for Apache Kafka 2.9.4 available for download from the Red Hat Customer Portal. This release is tracked under RHSA-2026:34608 and requires attention due to its important classification. Red Hat Product Security classified the security impact of this update as moderate based on current assessments.
RHSA-2026:34608: Important: Streams for Apache Kafka 2.9.4 release and security update
Debian LTS issued advisories on July 3 and 4, 2026, delivering emergency security patches for the Linux kernel, Nginx, and OpenVPN across multiple Debian releases. Version 5.10.259-1 now ships for Debian 11 bullseye, while version 6.1.176-1 replaces the previous build for Debian 12 bookworm, both neutralizing more than 200 kernel flaws that previously allowed privilege escalation, service disruptions, and data exposure. System administrators running Debian 12 should upgrade Nginx to 1.22.1-9+deb12u9 to close two remote code execution and memory disclosure flaws tied to HTTP/2 proxying and character set handling. OpenVPN received parallel fixes for Debian 12 bookworm and the current stable trixie distribution, patching six vulnerabilities that exposed virtual private network services to denial of service attacks.
[DLA 4664-1] linux security update
[DLA 4665-1] linux security update
[DLA 4667-1] nginx security update
[DLA 4666-1] openvpn security update
[DSA 6376-1] openvpn security update
AlmaLinux released three important security advisories for its version 8 operating system on July 3, 2026. The Ruby 2.5 and 3.3 updates patch three distinct vulnerabilities in the Net::IMAP library, specifically blocking IMAP command injection, preventing data leaks during man-in-the-middle attacks, and stopping denial of service exploits. Administrators running container tools will need to install a separate patch that fixes five issues in Go libraries related to certificate validation, TLS handling, and URL parsing, alongside resolving SELinux permission errors and leftover podman files.
ALSA-2026:33514: ruby:2.5 security update (Important)
ALSA-2026:33515: ruby:3.3 security update (Important)
ALSA-2026:33722: container-tools:rhel8 security, bug fix, and enhancement update (Important)
[ Archive ]