Sysadmin

In May 2026, the IETF quietly did something that email administrators have been waiting on for years: they published RFC 9989, RFC 9990, and RFC 9991 — collectively known as DMARCbis. These three documents replace RFC 7489, which has been the authoritative reference for DMARC since 2015. The headline change isn’t technical; it’s procedural. The original RFC 7489 was published as an Informational document, meaning it described what the industry was already doing, not what it was required to do. DMARCbis arrives as a Proposed Standard on the IETF Standards Track — the first formal step toward becoming an Internet Standard. In plain terms: DMARC just graduated from “strong industry recommendation” to “official protocol.” ...

If you’re running Exim on Debian or Ubuntu and haven’t patched in the past five weeks, there’s a reasonable chance your mail server is remotely exploitable by anyone who can open a TLS connection to port 25. No credentials required. No special tooling. Standard SMTP commands. CVE-2026-45185, nicknamed Dead.Letter, is a use-after-free vulnerability in Exim’s BDAT message parsing path. CVSS score: 9.8 Critical. Fixed in Exim 4.99.3, released May 12, 2026. If you haven’t checked your version since then, now would be a good time. ...

Apache HTTP Server 2.4.68 came out on June 8, 2026 — the first point release since 2.4.67 in early May, and per the project’s own download page, it’s “recommended over all previous releases.” If you run your own LAMP stack, this is the patch to schedule this week. What’s actually in it The public CVE list on httpd.apache.org hasn’t fully caught up to the release yet, but the individual disclosures have already landed on oss-security and in distro security trackers. Three are worth knowing about specifically. ...

Rspamd 4.1.0 dropped on June 5 — a major release tagged “recommended upgrade for all users” by the development team. There’s enough in it that’s immediately relevant to anyone running a mail server to warrant reading the changelog before blindly upgrading. The security fixes This release addresses several memory-safety issues that can be triggered by crafted incoming mail. S/MIME DoS via recursive PKCS7: A deeply nested application/pkcs7-mime message re-entered the parser without incrementing the nesting counter. In practice this means a malicious sender could craft a message that exhausts your rspamd worker’s stack. The fix gates S/MIME re-entry against the existing max_nested limit. ...

On June 3, 2026, researcher Quang Luong published a remote denial-of-service exploit called the HTTP/2 Bomb that can exhaust tens of gigabytes of server memory using nothing more than a home internet connection. The vulnerability was posted to oss-security the same day and affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora in their default HTTP/2 configurations. The CVE identifier CVE-2026-49975 was assigned to the Apache httpd variant. What the attack does The exploit chains two techniques, both of which have been individually documented for roughly a decade, in a way that no prior public research had combined against these servers. ...

On May 7, 2026, the PHP team released simultaneous security updates across all four supported branches: PHP 8.5.6, 8.4.21, 8.3.31, and 8.2.31. The release is classified as a security update for every branch, which means the usual “I’ll get to it next maintenance window” calculus does not apply here. If you run PHP-FPM — and most modern hosting stacks do — there is an XSS vulnerability patched in this release that deserves your attention today. ...

A heap buffer overflow in MariaDB’s JSON_SCHEMA_VALID() function went unnoticed for years — until AI-assisted code analysis flagged it earlier this year. The flaw, now tracked as CVE-2026-32710, was disclosed on March 19, 2026, and patches landed the same day. If your server runs MariaDB 11.4.x or 11.8.x and you haven’t applied the update yet, this is the one to prioritise this week. What the Bug Actually Does The problem lives in json_get_normalized_string() inside sql/json_schema_helper.cc. The function allocates a fixed 128-byte heap buffer and then copies a JSON string value into it using strncpy — without first checking whether the value fits. If an attacker crafts a JSON schema with a string field longer than that buffer, the heap overflows. ...

On May 4, 2026, Wietse Venema released Postfix 3.11.2, 3.10.9, 3.9.10, and 3.8.16. If you run a mail server, this is the update you actually want to read — not because the CVSS score is alarming (it isn’t), but because one of the bugs patched in this release has been sitting in the codebase since 2005. The CVE Worth Knowing About CVE-2026-43964 is an off-by-one error in how Postfix handles enhanced status codes. If an SMTP access table, policy server, DNSBL response, or milter returns a bare status code — something like 5.7.2 without any text following it — the daemon reads past the end of the allocated buffer. The result is a process crash. ...

A memory-corruption bug in Apache HTTP Server’s HTTP/2 implementation was publicly disclosed this week, and the details are ugly enough that you should stop reading this sentence and go check your Apache version right now. Done? Good. Let’s talk about what’s actually going on. The Bug CVE-2026-23918 is a double-free vulnerability in mod_http2, specifically in the stream cleanup path of Apache httpd 2.4.66. A double-free happens when code tries to release the same chunk of memory twice — a classic mistake that corrupts internal allocator state and typically leads to crashes, and sometimes worse. ...