Security Leftovers

posted by Roy Schestowitz on Jun 25, 2026

• Freexian Collaborators: Monthly report about Debian Long Term Support, May 2026 (by Santiago Ruano Rincón)

  The Debian LTS Team, funded by Freexian’s Debian LTS offering, is pleased to report its activities for May.

  During the month of May, 21 contributors have been

  The team released 56 DLAs fixing 877 CVEs.

• LWN ☛ Security updates for Wednesday

  Security updates have been issued by AlmaLinux (corosync, firefox, kernel, kernel-rt, libpq, memcached, postgresql, postgresql16, postgresql:13, postgresql:16, python-urllib3, python3.14-urllib3, redis:6, skopeo, and vim), Debian (beets, gst-plugins-bad1.0, imagemagick, libmatio, python-urllib3, and u-boot), Fedora (chromium, coturn, frr, grout, materialx, perl-Crypt-DSA, and yt-dlp), Mageia (opensc, perl-Archive-Tar, and podofo), Oracle (fence-agents, libpq, mysql:8.4, and postgresql:16), Red Hat (firefox, libpng, libpng12, libpng15, libreoffice, nginx:1.24, thunderbird, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (libarchive), SUSE (amazon-ssm-agent, ansible-core, apache2, bind, bitcoin-qt6, containerized-data-importer, curl, distribution, docker-stable, dovecot24, dracut, editorconfig-core-c, exiv2, firefox, freeipmi, freerdp, ghc-aws, ghc-crypton-asn1-encoding, ghc-crypton-asn1-parse, ghc-crypton-asn1-types, ghc-crypton-pem, glib-networking, go1.25, go1.26, google-guest-agent, graphite2, hamlib, helm, himmelblau, ignition, ImageMagick, kernel, ldns, libarchive, libcaca, libheif, libinput, libjxl, libsolv, libzypp, zypper, LibVNCServer, libxslt, libyang, mcphost, mozjs128, ncurses, nginx, opensc, openssl-3, openvswitch, papers, perl-HTML-Parser, perl-HTTP-Daemon, perl-Protocol-HTTP2, podman, postgresql14, postgresql15, postgresql16, postgresql17, python-aiohttp, python-ecdsa, python-paramiko, python-PyJWT, python-starlette, rekor, sqlite3, strongswan, tiff, tomcat, tomcat10, tomcat11, unbound, webkit2gtk3, xwayland, and zypper, libzypp, libsolv), and Ubuntu (libcap2, libnfs, libvncserver, libxml2, and mysql-8.0).

• Xe's Blog ☛ "No way to prevent this" say users of only language where this regularly happens

  In the hours following the release of CVE-2026-55200 for the project libssh2, site reliability workers and systems administrators scrambled to desperately rebuild and patch all their systems to fix an out-of-bounds write in ssh2_transport_read() due to a missing upper bound check on the packet_length field, resulting in heap corruption and potential remote code execution.

• OpenSSF (Linux Foundation) ☛ OpenSSF Newsletter – June 2026

  June highlighted the high stakes for open source security. The European Open Source Security Forum focused on turning CRA commitments into action, while the Mini Shai-Hulud and Miasma threats underscored the need for strong provenance. Despite these challenges, the community progressed with new machine-readable guidance, a SLSA supply chain post-mortem, and a critical CRA Awareness report. Read on for the full update!

• Security Week ☛ BeyondTrust, LastPass Impacted by Klue-Salesfarce Incident

  Over a dozen Klue customers have confirmed that hackers stole data from their Salesfarce instances.

• Security Week ☛ Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking

  The security defects allow unauthenticated users to take control of the open source software supply chain.

• Security Week ☛ New ‘Mistic’ RAT Opens Door to Several Ransomware Families

  Mistic is used by Woodgnat, an initial access broker working with Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

• Security Week ☛ Agentic Hey Hi (AI) Security: Wrong Context, Wrong Decisions at Machine Speed

  Context is the central plank of Hey Hi (AI) in general, and agentic Hey Hi (AI) in particular. If an Hey Hi (AI) system doesn’t have the correct context, it cannot make the correct decisions.

• Security Week ☛ Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs

  The flaws allow remote, unauthenticated attackers to make system changes, access underlying accounts, and inject commands.

• Security Week ☛ Third DraftKings Hacker Sentenced to 18 Months in Prison

  Nathan Austad has been ordered to pay roughly $1.8 million in forfeiture and restitution, and the sentence also includes 3 years of supervised release. 

• Security Week ☛ macOS Weaknesses Chained to Silently Disable Endpoint Security Agents

  A standard non-admin account is sufficient to conduct an attack that exploits legitimate OS behavior rather than software vulnerabilities.

• Scoop News Group ☛ In a first, a court takedown goes after two cybercrime tools at once

  Microsoft, with law enforcement and industry partners, disrupted more than 200 command and control servers for Amadey and StealC, often used in conjunction.

• Security Week ☛ Exclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and Risk

  The new framework seeks to help security teams identify which software supply chain vulnerabilities pose the greatest operational, safety, and business risks in AI-driven environments.