Hosting

In May 2026, the IETF quietly did something that email administrators have been waiting on for years: they published RFC 9989, RFC 9990, and RFC 9991 — collectively known as DMARCbis. These three documents replace RFC 7489, which has been the authoritative reference for DMARC since 2015. The headline change isn’t technical; it’s procedural. The original RFC 7489 was published as an Informational document, meaning it described what the industry was already doing, not what it was required to do. DMARCbis arrives as a Proposed Standard on the IETF Standards Track — the first formal step toward becoming an Internet Standard. In plain terms: DMARC just graduated from “strong industry recommendation” to “official protocol.” ...

If you’re running Exim on Debian or Ubuntu and haven’t patched in the past five weeks, there’s a reasonable chance your mail server is remotely exploitable by anyone who can open a TLS connection to port 25. No credentials required. No special tooling. Standard SMTP commands. CVE-2026-45185, nicknamed Dead.Letter, is a use-after-free vulnerability in Exim’s BDAT message parsing path. CVSS score: 9.8 Critical. Fixed in Exim 4.99.3, released May 12, 2026. If you haven’t checked your version since then, now would be a good time. ...

On June 4, 2026, the PHP team pushed two releases: PHP 8.4.22 and PHP 8.5.7, both routine bug-fix updates. Notice what’s missing: no 8.2 release, no 8.3 release. That’s not an oversight — it’s the lifecycle working as designed. Once a PHP branch exits active support, it receives security patches only when a qualifying CVE appears. Routine bug fixes stop. June was a bug-fix month, so 8.2 and 8.3 sat it out. ...

Apache HTTP Server 2.4.68 came out on June 8, 2026 — the first point release since 2.4.67 in early May, and per the project’s own download page, it’s “recommended over all previous releases.” If you run your own LAMP stack, this is the patch to schedule this week. What’s actually in it The public CVE list on httpd.apache.org hasn’t fully caught up to the release yet, but the individual disclosures have already landed on oss-security and in distro security trackers. Three are worth knowing about specifically. ...

Rspamd 4.1.0 dropped on June 5 — a major release tagged “recommended upgrade for all users” by the development team. There’s enough in it that’s immediately relevant to anyone running a mail server to warrant reading the changelog before blindly upgrading. The security fixes This release addresses several memory-safety issues that can be triggered by crafted incoming mail. S/MIME DoS via recursive PKCS7: A deeply nested application/pkcs7-mime message re-entered the parser without incrementing the nesting counter. In practice this means a malicious sender could craft a message that exhausts your rspamd worker’s stack. The fix gates S/MIME re-entry against the existing max_nested limit. ...

On June 3, 2026, researcher Quang Luong published a remote denial-of-service exploit called the HTTP/2 Bomb that can exhaust tens of gigabytes of server memory using nothing more than a home internet connection. The vulnerability was posted to oss-security the same day and affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora in their default HTTP/2 configurations. The CVE identifier CVE-2026-49975 was assigned to the Apache httpd variant. What the attack does The exploit chains two techniques, both of which have been individually documented for roughly a decade, in a way that no prior public research had combined against these servers. ...

MariaDB patched CVE-2026-35549 on April 3, 2026. Seven weeks later, the fixed packages haven’t landed in the official repositories of RHEL 8, 9, and 10, Ubuntu LTS releases, or CentOS 8. If you’re running distro-packaged MariaDB and have the caching_sha2_password authentication plugin in use, your database server can be crashed by any authenticated user with a single oversized packet. What the Bug Is The vulnerability lives in the caching_sha2_password authentication plugin — MariaDB’s compatibility layer for the plugin MySQL 8.0 made default. When processing an authentication request, the plugin calls sha256_crypt_r, which allocates memory via alloca(). Unlike malloc(), alloca() grabs memory directly from the stack with no size check whatsoever. Feed it a packet that’s large enough, and the function attempts to allocate more stack space than exists, causing the server process to crash immediately. ...

If you run WHMCS and haven’t updated in the past week, stop reading and go do that first. Back? Good. Here’s what you just patched. What the Vulnerability Is On 12 May 2026, WHMCS published CVE-2026-29204 — an authorization bypass rooted in clientarea.php. The flaw is textbook IDOR (Insecure Direct Object Reference, classified as CWE-639): when a client area user submits a request that includes an addonId parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user’s addonId, and you walk straight into their services. ...

On May 7, 2026, the PHP team released simultaneous security updates across all four supported branches: PHP 8.5.6, 8.4.21, 8.3.31, and 8.2.31. The release is classified as a security update for every branch, which means the usual “I’ll get to it next maintenance window” calculus does not apply here. If you run PHP-FPM — and most modern hosting stacks do — there is an XSS vulnerability patched in this release that deserves your attention today. ...

A heap buffer overflow in MariaDB’s JSON_SCHEMA_VALID() function went unnoticed for years — until AI-assisted code analysis flagged it earlier this year. The flaw, now tracked as CVE-2026-32710, was disclosed on March 19, 2026, and patches landed the same day. If your server runs MariaDB 11.4.x or 11.8.x and you haven’t applied the update yet, this is the one to prioritise this week. What the Bug Actually Does The problem lives in json_get_normalized_string() inside sql/json_schema_helper.cc. The function allocates a fixed 128-byte heap buffer and then copies a JSON string value into it using strncpy — without first checking whether the value fits. If an attacker crafts a JSON schema with a string field longer than that buffer, the heap overflows. ...