Security 10972 Published by

This week's Linux security landscape is dominated by a massive wave of advisories across nearly every major distribution, targeting core infrastructure like the Linux kernel, container runtimes, and web servers. Critical fixes include patches for RHEL's kernel-rt, Oracle's Samba, and openSUSE's Chromium, alongside urgent updates for Python, PHP, Go, and Node.js runtimes that address memory corruption and remote code execution flaws. Enterprise teams on Red Hat, Rocky, and AlmaLinux must prioritize kernel and Podman/Buildah patches, while Debian LTS and Ubuntu administrators need to clear out buffer handling bugs in OpenSSH and NTFS-3G to prevent active exploitation. With vulnerabilities ranging from critical privilege escalation to important browser risks, IT teams should immediately apply the latest errata to close attack vectors before they can be leveraged in production environments.





This Week's Linux Security Roundup: Massive Kernel Patches, Container Fixes, and a Critical Samba Flaw

Admins running enterprise Linux just got hit with a massive wave of security advisories this week. The updates span nearly every major distribution, targeting everything from the mainline kernel to container runtimes, web servers, and Python libraries. If you manage production servers, skipping this round isn't an option.

That's after the usual steady drip of CVEs. This week, the volume spiked. Red Hat's ecosystem alone pushed over sixty advisories. Oracle, Rocky, and AlmaLinux mirrored the changes. Debian's LTS team cleared out memory corruption and remote code execution flaws in Chromium, Mesa, and GRUB2. Fedora 43 and 44 administrators need to patch high-severity browser and ImageMagick bugs immediately. SUSE rolled out kernel live patches, OpenSSL fixes, and a critical update for openSUSE's Chromium. Ubuntu delivered seventeen advisories just for the 24th of July, covering everything from OpenSSH privilege escalation to NTFS-3G buffer handling.

Sectux

The Heavy Hitters

Kernel updates are dominating the list. Nearly every distro pushed patches for the mainline and real-time kernels. RHEL even marked one kernel-rt advisory as Critical. Oracle Linux flagged a Samba update for OL10 as Critical, while openSUSE labeled its Chromium fix the same. You'll also see massive coverage for container tools. Podman, Buildah, and rootlesskit got security bumps across RHEL, Oracle, SUSE, and Rocky. Web server configs aren't safe either. Nginx, Tomcat, and Traefik 2 all received important ratings.

Language runtimes took a hit too. Python 3.12, Python 3.14, and Python 3.15 all landed updates. PHP 8.4.24 and 8.5.9 release candidates are now flowing into Fedora's test repos. Go toolsets got security bumps on AlmaLinux, Oracle, and Rocky. Node.js 24 and Node.js 22 followed suit. If you're running GIMP or ImageMagick for image processing workflows, those got patched. OpenSUSE's Chromium fix and SUSE's ImageMagick updates carry important ratings.

What Actually Matters for Your Stack

Let's cut through the advisory numbers. The kernel patches are non-negotiable. You've got memory corruption and privilege escalation risks closing out in the wild. The container tools updates fix remote code execution paths that attackers have been exploiting for months. Nginx and Tomcat patches handle request parsing flaws that can crash daemons or leak data. Python and PHP updates address deserialization and buffer handling bugs.

Slackware got a single netatalk upgrade to 4.5.1 for file server stability. Not a big deal, but it keeps your legacy Samba alternatives from rotting. Distros just pushed the commits. No press releases. Just advisory links and version bumps. You have about forty-eight hours before someone starts exploiting the unpatched nodes in your environment.

Latest Security Updates by Distribution

Here’s a complete breakdown of the security updates for AlmaLinux, Debian GNU/Linux, Fedora Linux, Oracle Linux, Red Hat Enterprise Linux, Rocky Linux, Slackware Linux, SUSE Linux, and Ubuntu Linux.

AlmaLinux

AlmaLinux distributed a series of security patches for versions 8, 9, and 10 to address known vulnerabilities across the operating system. IT teams need to install these updates immediately because they fix critical flaws in essential software like the Linux kernel, PHP, Python, and Nginx. The latest advisories also cover container management tools such as Podman, web server components, and programming frameworks including Node.js 24 and LibreOffice. Security officials categorized the majority of these fixes as important while assigning moderate or lower ratings to a few specific packages like FreeIPMI and corosync.

Debian GNU/Linux

Debian Long Term Support released emergency security advisories to patch critical flaws across multiple widely used system packages. These updates resolve memory corruption, remote code execution, and privilege escalation vulnerabilities in applications including Chromium, Mesa, Dnsmasq, and GRUB2. Debian 12 and 13 administrators must install the patches immediately to prevent attackers from executing unauthorized code or bypassing network protections. The advisories address between fifteen and twenty-seven flaws per release, highlighting the necessity of frequent system maintenance.

Fedora Linux

Fedora 43 and 44 distributions require immediate security patches to address high-severity flaws across dozens of core applications. Major browsers and utilities receive critical fixes, including fifteen closed vulnerabilities in Chromium, multiple security advisories for Firefox and ImageMagick, and an upgrade to Calibre 9.11.0 that eliminates arbitrary code execution risks. System administrators must also update xrdp to resolve ten reported issues and repair kernel XFS mapping errors.

Oracle Linux

Oracle Linux administrators must install a coordinated batch of security advisories covering versions seven through ten. These releases prioritize core kernel patches alongside critical updates for nginx, glibc, podman, and vim. The patches resolve dozens of identified CVEs that directly impact container operations, network routing, and image processing workflows. System administrators managing x86_64 and aarch64 deployments will find fixes for major applications including LibreOffice, Samba, and the Unbreakable Enterprise Kernel.

Red Hat Enterprise Linux

Red Hat distributed a series of security advisories for Red Hat Enterprise Linux versions 8, 9, and 10 to address multiple software vulnerabilities. These patches target core infrastructure and development packages including the Linux kernel, Python, Thunderbird, OpenStack, and JBoss Web Server. Administrators will find impact ratings ranging from low to important across the various advisories covering system utilities and container tools. System owners must apply these updates to maintain compliance and protect their RHEL environments from known exploitation risks.

Rocky Linux

Rocky Linux administrators must apply recent security advisories across versions 8, 9, and 10 to address multiple vulnerabilities. The released errata target foundational system components alongside widely used development and desktop applications. Affected software includes the Linux kernel, Golang, OpenSSL, Podman, Python, and various container tools. These patches resolve specific flaws tracked under official CVE identifiers to prevent potential system exploitation.

Slackware Linux

The Slackware Linux Security Team distributed security advisory SSA:2026-197-01 to upgrade the netatalk package. This release pushes version 4.5.1 to the stable Slackware 15.0 distribution and the active development branch. System administrators must apply the update to keep their file server services aligned with the latest stability improvements. The patch addresses known vulnerabilities and ensures continued compatibility across all supported Slackware environments.

SUSE Linux

SUSE issued security advisories for SUSE Linux Enterprise and openSUSE platforms, addressing vulnerabilities across core system components and third-party applications. Administrators must prioritize patches for the Linux kernel live updates, ImageMagick, curl, and OpenSSL due to their critical severity ratings and potential exploitation risks. The updates also resolve high-severity flaws in Chromium, Django, Kubernetes, Podman, GIMP, and Python libraries for SUSE Linux Enterprise versions 15 through 17 and openSUSE Leap 15. OpenSUSE Tumbleweed received moderate security fixes for Nginx, Blender, and other tools, while SUSE Linux Enterprise administrators should deploy these changes immediately to mitigate known threats.

Ubuntu Linux

Ubuntu released a series of security patches throughout July 2026 to address critical vulnerabilities across core system utilities and libraries. The initial update fixed privilege escalation risks in cifs-utils, buffer handling flaws in libexif and libssh2, and security bypass issues in OpenSSH. A later announcement on July 14 delivered nine advisories targeting httplib2, MariaDB, OpenVPN, Vim, and Wget while patching network and database components. Ubuntu simultaneously deployed kernel updates for AWS, Google Cloud, Raspberry Pi, and standard hardware alongside seventeen fixes for ubuntu-advantage-tools, NTFS-3G, Ruby, Tar, and Authlib.

How to apply these Linux security updates

Before running any update commands, check which services are currently active on your system. If Nginx or Apache is handling live traffic, schedule a brief maintenance window or use rolling restarts to minimize downtime during the patching process. Desktop users can usually apply these fixes by opening a terminal and running the standard package manager command for their distribution followed by an upgrade flag. A reboot will be necessary if the kernel received updates to ensure the new security modules load correctly.

Power users who rely on command-line tools like jq should verify the patch level after installation. Regression bugs can occasionally break scripts that depend on specific JSON parsing behavior, so a quick test run is worth the few minutes it takes. If you use PackageKit or other GUI package managers and prefer to skip them because they sometimes hang or try to install junk, do not let that stop you from running the command-line equivalent to get these critical patches applied.

Applying these patches requires distribution-specific package management commands. RHEL-based systems typically use dnf update or yum update, while Debian and Ubuntu rely on apt upgrade. SUSE users should run zypper patch to properly address all security advisories, and Slackware administrators can manage updates with upgradepkg or slackpkg. After executing the commands, a reboot is usually necessary for kernel changes to take effect. Finally, review your package manager’s logs to verify that all patches installed successfully and no dependencies were disrupted.

Debian/Ubuntu (apt)

The first thing to do is refresh the local package index; running sudo apt update contacts all configured repositories and pulls in the newest lists of available versions. Skipping this step leaves the system blind to any recent uploads, which explains why “upgrade” sometimes claims there’s nothing to do even after a security advisory has been published. Once the index is current, invoke sudo apt upgrade -y; the -y flag answers every prompt automatically so the process doesn’t pause for user input. This command upgrades all installed packages that have newer versions in the repositories while preserving configuration files.

sudo apt update
sudo apt upgrade -y

Fedora/RedHat/Rocky/Alma/Oracle (dnf or yum)

On modern Fedora and recent Red Hat derivatives, dnf is the package manager; older RHEL releases still rely on yum. Begin with a check‑update operation—sudo dnf check-update or sudo yum check-update—to see exactly which packages are awaiting an upgrade. This preview step can be useful for spotting unexpected kernel bumps before they land. To actually apply the updates, run sudo dnf upgrade -y (or sudo yum update if you prefer the older tool). The upgrade command pulls down the new binaries and runs any necessary post‑install scripts, such as rebuilding initramfs when a kernel changes.

sudo dnf check-update
sudo dnf upgrade -y

or on older releases

sudo yum check-update
sudo yum update

SUSE (zypper)

SUSE’s command line front‑end is called zypper. First execute sudo zypper refresh so that the metadata for all enabled repos gets updated; without this, zypper will happily report “No updates available” even though newer packages sit on the mirror. After a fresh refresh, issue sudo zypper update -y; this upgrades every package to the latest version in the configured repositories and automatically handles service restarts when required.

sudo zypper refresh
sudo zypper update -y

Slackware (slackpkg and pkgtool)

Slackware doesn’t have a single unified updater, but the official way to pull updates is through slackpkg. Start with sudo slackpkg update to download the newest package list from the chosen mirror. Then run sudo slackpkg upgrade-all; this command walks through each installed package and replaces it with the most recent build available in the official repository. For users who prefer a more granular approach, specifying a package name after upgrade limits the operation to that single item. When dealing with community‑maintained repositories, pkgtool takes over: a combined sudo pkgtool update && sudo pkgtool upgrade will sync and apply updates from the mirrors listed in /etc/slackpkg/mirrors.

sudo slackpkg update
sudo slackpkg upgrade-all