kalfaoglu.net blog

On June 4, 2026, the PHP team pushed two releases: PHP 8.4.22 and PHP 8.5.7, both routine bug-fix updates. Notice what’s missing: no 8.2 release, no 8.3 release. That’s not an oversight — it’s the lifecycle working as designed. Once a PHP branch exits active support, it receives security patches only when a qualifying CVE appears. Routine bug fixes stop. June was a bug-fix month, so 8.2 and 8.3 sat it out. ...

Apache HTTP Server 2.4.68 came out on June 8, 2026 — the first point release since 2.4.67 in early May, and per the project’s own download page, it’s “recommended over all previous releases.” If you run your own LAMP stack, this is the patch to schedule this week. What’s actually in it The public CVE list on httpd.apache.org hasn’t fully caught up to the release yet, but the individual disclosures have already landed on oss-security and in distro security trackers. Three are worth knowing about specifically. ...

Rspamd 4.1.0 dropped on June 5 — a major release tagged “recommended upgrade for all users” by the development team. There’s enough in it that’s immediately relevant to anyone running a mail server to warrant reading the changelog before blindly upgrading. The security fixes This release addresses several memory-safety issues that can be triggered by crafted incoming mail. S/MIME DoS via recursive PKCS7: A deeply nested application/pkcs7-mime message re-entered the parser without incrementing the nesting counter. In practice this means a malicious sender could craft a message that exhausts your rspamd worker’s stack. The fix gates S/MIME re-entry against the existing max_nested limit. ...

On June 3, 2026, researcher Quang Luong published a remote denial-of-service exploit called the HTTP/2 Bomb that can exhaust tens of gigabytes of server memory using nothing more than a home internet connection. The vulnerability was posted to oss-security the same day and affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora in their default HTTP/2 configurations. The CVE identifier CVE-2026-49975 was assigned to the Apache httpd variant. What the attack does The exploit chains two techniques, both of which have been individually documented for roughly a decade, in a way that no prior public research had combined against these servers. ...

Google and Yahoo dropped their email authentication hammer in February 2024. Microsoft watched that unfold, nodded slowly, and then did the same thing on May 5, 2025. If your domain hasn’t sorted out SPF, DKIM, and DMARC by now, a chunk of your outbound mail is already being rejected — silently, with no bounce to show for it. What Microsoft Actually Requires For anyone sending 5,000 or more messages per day to Microsoft consumer addresses (@outlook.com, @hotmail.com, @live.com), the requirements are: ...

On 5 May 2026, the Dovecot team published security advisory OXDC-2026-0002, covering five vulnerabilities fixed in OX Dovecot CE 2.4.4 (and Pro 3.1.5). If you are running Dovecot CE 2.4.3 or earlier, this is your prompt to upgrade. What’s in the advisory CVE-2026-27851 — SQL/LDAP injection via variable expansion (CVSS 7.4) The most serious of the five. When the safe filter is used in Dovecot’s variable expansion (lib-var-expand), it incorrectly treats all subsequent pipelines on the same string as safe too. The result: attacker-controlled data can bypass escaping and land unmodified in SQL or LDAP queries used for authentication. No public exploit exists yet, but CVSS 7.4 with a network attack vector and no required privileges is not something to sit on. If you cannot upgrade immediately, the workaround is to avoid the safe filter in your configuration until you can. ...

MariaDB patched CVE-2026-35549 on April 3, 2026. Seven weeks later, the fixed packages haven’t landed in the official repositories of RHEL 8, 9, and 10, Ubuntu LTS releases, or CentOS 8. If you’re running distro-packaged MariaDB and have the caching_sha2_password authentication plugin in use, your database server can be crashed by any authenticated user with a single oversized packet. What the Bug Is The vulnerability lives in the caching_sha2_password authentication plugin — MariaDB’s compatibility layer for the plugin MySQL 8.0 made default. When processing an authentication request, the plugin calls sha256_crypt_r, which allocates memory via alloca(). Unlike malloc(), alloca() grabs memory directly from the stack with no size check whatsoever. Feed it a packet that’s large enough, and the function attempts to allocate more stack space than exists, causing the server process to crash immediately. ...

If you run WHMCS and haven’t updated in the past week, stop reading and go do that first. Back? Good. Here’s what you just patched. What the Vulnerability Is On 12 May 2026, WHMCS published CVE-2026-29204 — an authorization bypass rooted in clientarea.php. The flaw is textbook IDOR (Insecure Direct Object Reference, classified as CWE-639): when a client area user submits a request that includes an addonId parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user’s addonId, and you walk straight into their services. ...

On May 7, 2026, the PHP team released simultaneous security updates across all four supported branches: PHP 8.5.6, 8.4.21, 8.3.31, and 8.2.31. The release is classified as a security update for every branch, which means the usual “I’ll get to it next maintenance window” calculus does not apply here. If you run PHP-FPM — and most modern hosting stacks do — there is an XSS vulnerability patched in this release that deserves your attention today. ...

A heap buffer overflow in MariaDB’s JSON_SCHEMA_VALID() function went unnoticed for years — until AI-assisted code analysis flagged it earlier this year. The flaw, now tracked as CVE-2026-32710, was disclosed on March 19, 2026, and patches landed the same day. If your server runs MariaDB 11.4.x or 11.8.x and you haven’t applied the update yet, this is the one to prioritise this week. What the Bug Actually Does The problem lives in json_get_normalized_string() inside sql/json_schema_helper.cc. The function allocates a fixed 128-byte heap buffer and then copies a JSON string value into it using strncpy — without first checking whether the value fits. If an attacker crafts a JSON schema with a string field longer than that buffer, the heap overflows. ...