Security 10968 Published by

Security teams across major distributions including RHEL, Ubuntu, Debian, Fedora, and SUSE released a massive wave of patches this week targeting critical flaws in the Linux kernel, web stacks, and databases. The updates address dangerous vulnerabilities such as buffer overflows in PHP 8.2 and 8.4, arbitrary code execution in ImageMagick, and SQL injection in Sogo, with several advisories officially rated as critical. While Slackware kept the patch count lean with just three fixes, the broader ecosystem is pushing routine maintenance for container runtimes like Podman and runc alongside database engines like MariaDB and PostgreSQL. Administrators should prioritize applying kernel and glibc updates immediately, as these core components underpin most of the affected services across all distributions.





Weekly Linux Security Roundup: Critical Flaws Hit Kernels, Web Stacks, and Databases Across the Board

If your servers haven't run a package manager in the last seven days, stop what you're doing and apply the patch. Security teams at AlmaLinux, Debian, Fedora, Oracle, RHEL, Rocky, SUSE, Slackware, and Ubuntu all dropped critical advisories this week. The targets cover everything from the Linux kernel to container runtimes, and if you're running any modern production stack, you're probably in the crosshairs.

Ubuntu alone published advisories covering the standard kernel, the Low Latency variant, Raspberry Pi, NVIDIA Tegra, Xilinx, and Oracle hardware builds. That's six separate kernel updates in a single week. AlmaLinux and RHEL followed with their own rounds, while Fedora shipped kernel 7.0.14 across both Fedora 43 and 44. The kernel remains the most frequently patched component, and for good reason.

Beyond the kernel, the web stack is getting hammered. PHP 8.2 and 8.4 land buffer overflow fixes on Debian. RHEL and AlmaLinux push updates for older PHP 7.4 and 8.x branches. Apache httpd, Nginx, and Caddy all receive security patches. And for whatever reason, ImageMagick is having a rough year. Debian, RHEL, Oracle, and SUSE all shipped fixes for arbitrary code execution vulnerabilities in the image processing library. If you run anything that accepts user-uploaded images, apply this immediately.

Databases and container runtimes round out the biggest vulnerabilities. MariaDB 10.11 and 11.8 show up on almost every RPM-based distro. PostgreSQL 15 and 16 get patched across the board. Sogo lands a SQL injection fix on Debian, while PowerDNS and NSD on Fedora address cache poisoning. Podman, Buildah, runc, and skopeo all receive updates for RHEL and Fedora, pointing to the usual container runtime maintenance cycle.

Tuxrepair

What Actually Needs Your Attention Right Now

Keep in mind that not every advisory carries the same urgency. Most of these sit at "Important" severity. A handful hit "Critical" status. SUSE marked a Thunderbird update, an mbedTLS patch, and a perl-Cpanel-JSON-XS fix as critical. RHEL flagged RHSA-2026:33486 as critical. Debian listed PHP 8.4 as important but the rest as moderate to important. Slackware kept things lean with just three advisories for libevent, Thunderbird, and libseccomp.

If you're running a PHP-heavy production environment, prioritize the Apache/httpd, PHP, and glibc patches first. Those stack together. The glibc and gnutls updates that RHEL and Oracle published also deserve early attention, since they're used by just about everything else on the system.

Ruby developers shouldn't sleep on this week's updates either. AlmaLinux, RHEL, and Rocky all shipped security fixes for Ruby 2.5, 3.3, and 4.0. If you're still on Ruby 2.5, the 2026 advisories are officially past end-of-life territory for many upstream projects, though the distros are keeping the security patches flowing.

The Cross-Distro Pattern

Tracking these across distributions reveals a predictable rhythm. The RHEL family (AlmaLinux, Rocky, Oracle, RHEL itself) all patch the exact same RPM packages: perl-IO-Compress, perl-Archive-Tar, git-lfs, python3.12-urllib3, giflib, and container-tools. You'll see identical advisory titles with different numbering. It's a sign of a healthy upstream development model, though it does mean you're essentially mirroring upstream fixes rather than writing custom security code.

The Debian track operates similarly but with its own advisory numbering scheme. Debian uses DLA and DSA prefixes for standard and extended support branches respectively. SUSE splits things between openSUSE-SU and SUSE-SU advisories, usually grouping multiple packages into single releases. Ubuntu tends to stack multiple kernel variants into one notice, while SUSE and Debian prefer granular per-package advisories.

The volume here is staggering. However, at the same time, the underlying mechanics haven't changed. Distributions are still backporting upstream fixes rather than rewriting critical infrastructure from scratch. The patching cadence is the real differentiator, and this week shows why automated update pipelines exist.

Head here to your distribution's security portal for the full advisory text and CVE cross-references. AlmaLinux and RHEL post theirs at access.redhat.com/security, Debian uses security.debian.org, Fedora publishes at admin.fedoraproject.org, and Ubuntu hosts everything at ubuntu.com/security. SUSE maintains theirs at suse.com/security.

Apply the patches. Reboot if the kernel or glibc updates land. Monitor your services for the usual post-update startup hiccups, though most of these are straightforward replacements. If you're managing dozens of servers, ansible and puppet are already waiting to apply these RPM and deb updates in bulk.

Latest Security Updates by Distribution

Here’s a complete breakdown of the security updates for AlmaLinux, Debian GNU/Linux, Fedora Linux, Oracle Linux, Red Hat Enterprise Linux, Rocky Linux, Slackware Linux, SUSE Linux, and Ubuntu Linux.

AlmaLinux

AlmaLinux issued a series of security advisories for operating system versions 8, 9, and 10. The updates address critical vulnerabilities in widely deployed software including the Linux kernel, Apache httpd, PHP, MariaDB, PostgreSQL, Ruby, TigerVNC, and Go. These patches fix stack buffer overflows, IMAP command injection flaws, use-after-free errors, and denial-of-service risks that could expose servers to unauthorized access or service disruption.

Debian GNU/Linux

Debian released a wave of security advisories to fix critical flaws across dozens of widely used packages. The patches target the Linux kernel, Nginx, OpenVPN, PHP, Apache2, ImageMagick, librabbitmq, jq, Sogo, and several other tools running on standard and extended support branches. Operators will find resolutions for dangerous issues including SQL injection in Sogo, buffer overflows in PHP 8.2 and 8.4, arbitrary code execution in ImageMagick, and memory corruption in multiple core libraries.

Fedora Linux

The Fedora Project issued a series of security advisories for both Fedora 43 and Fedora 44, addressing critical vulnerabilities across numerous commonly installed software packages. Major updates target database systems like MariaDB and MySQL, web browsers including Chromium and Nextcloud, and container tools such as Podman and Buildah. Developers patched dangerous flaws like buffer overflows in Perl-DBI, memory corruption issues in FreeRDP, and cache poisoning vulnerabilities in PowerDNS and NSD.

Oracle Linux

Oracle released a coordinated series of security and maintenance updates for Oracle Linux 7, 8, and 9. The patches address dozens of CVE identifiers and routine bugs across widely deployed components including OpenSSL, Nginx, the Unbreakable Enterprise Kernel, and major database engines like PostgreSQL and MariaDB. System operators will find corrected RPMs for web servers, runtime environments, desktop libraries, and container tools in these advisories.

Red Hat Enterprise Linux

Red Hat issued a series of security advisories that patch vulnerabilities across Red Hat Enterprise Linux versions 7 through 10. The updates target core system components like the Linux kernel, glibc, gnutls, and httpd alongside enterprise tools including OpenShift, Satellite, and Ansible. Administrators managing database servers such as PostgreSQL, MariaDB, Redis, and Streams for Apache Kafka must apply the latest fixes to meet critical and important compliance standards.

Rocky Linux

Rocky Linux issued multiple security advisories for versions 8 and 9, distributing patches across dozens of core packages including Perl 5.32, MariaDB 10.11, Ruby 2.5, Ruby 3.3, and PHP 7.4. The updates resolve reported vulnerabilities, correct runtime bugs, and apply performance adjustments to components like container-tools, glibc, Thunderbird, and rrdtool. Most advisories carry an Important severity rating, though certain PHP and container-related fixes address higher-priority flaws.

Slackware Linux

The Slackware Linux Security Team issued three new package upgrades to resolve active security flaws across Slackware 15. These patches directly target libevent, Mozilla Thunderbird, and libseccomp to stop exploitation before it reaches production servers. Operators can match each fix to its official advisory, SSA:2026-182-01, SSA:2026-182-02, and SSA:2026-183-01, for straightforward tracking.

SUSE Linux

SUSE issued a wide series of security advisories to patch recently discovered flaws across their Linux distributions. The updates target widely deployed software including Python, Apache2, Docker, ImageMagick, Thunderbird, glibc, systemd, and jq. Several vulnerabilities carry CVSS scores above 8, ranging from moderate to critical severity levels.

Ubuntu Linux

Ubuntu issued a series of security notices to address vulnerabilities across several core system packages. The latest batch includes fixes for the Linux kernel, nghttp2, LibVNCServer, cifs-utils, Vim, and nginx. Separately, the distribution released update USN-8467-2 to resolve two distinct flaws in Perl 5.40 for Ubuntu 25.10. These patches close a symlink handling issue in Archive::Tar and stop a memory overflow during 32-bit regex compilation.

How to apply these Linux security updates

Before running any update commands, check which services are currently active on your system. If Nginx or Apache is handling live traffic, schedule a brief maintenance window or use rolling restarts to minimize downtime during the patching process. Desktop users can usually apply these fixes by opening a terminal and running the standard package manager command for their distribution followed by an upgrade flag. A reboot will be necessary if the kernel received updates to ensure the new security modules load correctly.

Power users who rely on command-line tools like jq should verify the patch level after installation. Regression bugs can occasionally break scripts that depend on specific JSON parsing behavior, so a quick test run is worth the few minutes it takes. If you use PackageKit or other GUI package managers and prefer to skip them because they sometimes hang or try to install junk, do not let that stop you from running the command-line equivalent to get these critical patches applied.

Applying these patches requires distribution-specific package management commands. RHEL-based systems typically use dnf update or yum update, while Debian and Ubuntu rely on apt upgrade. SUSE users should run zypper patch to properly address all security advisories, and Slackware administrators can manage updates with upgradepkg or slackpkg. After executing the commands, a reboot is usually necessary for kernel changes to take effect. Finally, review your package manager’s logs to verify that all patches installed successfully and no dependencies were disrupted.

Debian/Ubuntu (apt)

The first thing to do is refresh the local package index; running sudo apt update contacts all configured repositories and pulls in the newest lists of available versions. Skipping this step leaves the system blind to any recent uploads, which explains why “upgrade” sometimes claims there’s nothing to do even after a security advisory has been published. Once the index is current, invoke sudo apt upgrade -y; the -y flag answers every prompt automatically so the process doesn’t pause for user input. This command upgrades all installed packages that have newer versions in the repositories while preserving configuration files.

sudo apt update
sudo apt upgrade -y

Fedora/RedHat/Rocky/Alma/Oracle (dnf or yum)

On modern Fedora and recent Red Hat derivatives, dnf is the package manager; older RHEL releases still rely on yum. Begin with a check‑update operation—sudo dnf check-update or sudo yum check-update—to see exactly which packages are awaiting an upgrade. This preview step can be useful for spotting unexpected kernel bumps before they land. To actually apply the updates, run sudo dnf upgrade -y (or sudo yum update if you prefer the older tool). The upgrade command pulls down the new binaries and runs any necessary post‑install scripts, such as rebuilding initramfs when a kernel changes.

sudo dnf check-update
sudo dnf upgrade -y

or on older releases

sudo yum check-update
sudo yum update

SUSE (zypper)

SUSE’s command line front‑end is called zypper. First execute sudo zypper refresh so that the metadata for all enabled repos gets updated; without this, zypper will happily report “No updates available” even though newer packages sit on the mirror. After a fresh refresh, issue sudo zypper update -y; this upgrades every package to the latest version in the configured repositories and automatically handles service restarts when required.

sudo zypper refresh
sudo zypper update -y

Slackware (slackpkg and pkgtool)

Slackware doesn’t have a single unified updater, but the official way to pull updates is through slackpkg. Start with sudo slackpkg update to download the newest package list from the chosen mirror. Then run sudo slackpkg upgrade-all; this command walks through each installed package and replaces it with the most recent build available in the official repository. For users who prefer a more granular approach, specifying a package name after upgrade limits the operation to that single item. When dealing with community‑maintained repositories, pkgtool takes over: a combined sudo pkgtool update && sudo pkgtool upgrade will sync and apply updates from the mirrors listed in /etc/slackpkg/mirrors.

sudo slackpkg update
sudo slackpkg upgrade-all

This is a heavy week. The threat landscape isn't slowing down, and neither are the maintainers. Keep your systems updated.