news
Security Leftovers
-
LWN ☛ Security updates for Thursday
Security updates have been issued by AlmaLinux (libpng, libsolv, libtasn1, libxml2, libxslt, python3.14, tigervnc, and vim), Debian (cloud-init, postgresql-13, and yelp), Mageia (nats-server), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, bind9.18, cockpit, compat-openssl11, dnsmasq, dovecot, evince, expat, flatpak, freerdp, gimp, golang, grafana, grafana-pcp, httpd, jmc, jq, kernel, libsndfile, libsoup, libtiff, mod_http2, mysql:8.0, nginx, nginx:1.24, openexr, php:8.2, poppler, pyOpenSSL, python-markdown, redis:7, samba, thunderbird, tigervnc, unbound, and vim), Red Hat (libpng, libpng12, and libpng15), SUSE (apptainer, bind, crun, freeipmi, ghc-crypton-x509-store, ghc-crypton-x509-system, google-guest-agent, google-osconfig-agent, GraphicsMagick, gstreamer-plugins-bad, hamlib, iproute2, java-1_8_0-openjdk, kubevirt1, libarchive, libheif, libpng15, mbedtls, mbedtls-2, openssl-1_1, python-biopython, python-PyJWT, tar, webkit2gtk3, and xen), and Ubuntu (ffmpeg, libdbi-perl, and perl).
-
OpenSSF (Linux Foundation) ☛ The CRA Readiness Reality: What Changed (and What Didn’t) Between 2025 and 2026?
In 2025, 'Linux' Foundation Research, 'Linux' Foundation Europe, and Open Source Security Foundation (OpenSSF) published Unaware and Uncertain: The Stark Realities of Cyber Resilience Act Readiness in Open Source. It took a survey-based look at how prepared the open source ecosystem was for the European Union's Cyber Resilience Act (EU CRA). The headline finding was blunt: 62% of respondents had little to no familiarity with a regulation that would reshape how software gets built, shipped, and maintained across global supply chains. The hope was that with a year to go before the CRA enters into force, community education initiatives and a growing body of guidance would move the readiness needle. They didn't.
-
Scoop News Group ☛ Why patch directives only go so far
Six weeks of undetected access through a compromised VPN exposes why patching isn't a solution for the organizations already breached.
-
Security Week ☛ Chrome 149 Update Resolves 18 Severe Vulnerabilities
More than half of the bugs are use-after-free defects, which can potentially lead to remote code execution.
-
Scoop News Group ☛ FCC passes new cybersecurity rules for emergency systems, undersea cables
The new rules would overhaul national emergency systems to protect against hijacking and update federal security review rules for undersea cables providers
-
Security Week ☛ Cisco SD-WAN Zero-Day Exploited Months Before Patching
CVE-2026-20245, the 7th Cisco SD-WAN vulnerability exploited in 2026, was used for months prior to its disclosure and patching.
-
Security Week ☛ Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning
The exploited flaw, CVE-2025-67038, is one of the vulnerabilities disclosed in April as part of the BRIDGE:BREAK research project.
-
Security Week ☛ Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack
Mandiant has helped the California water utility investigate the cyberattack launched by Iranian hacker group Handala.