NGINX Rift CVE-2026-42945 scores 9.2 after 18 years, enabling unauthenticated RCE or DoS via crafted HTTP requests.
  • skankhunt42@lemmy.caEnglish
    71·
    16 days ago

    It’s days like this where I’m happy I’m unemployed. I have a group chat with a few friends and they’re pushing out patches and it’s a bit of a rush.

    All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It’s rare I need to step in and fix something. I checked a few hours ago and I’m not at risk.

    • GreenKnight23@lemmy.worldEnglish
      9·
      16 days ago

      All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It’s rare I need to step in and fix something. I checked a few hours ago and I’m not at risk.

      not the flex you think it is.

      didn’t npm have a worm problem a few days ago?

      • skankhunt42@lemmy.caEnglish
        5·
        16 days ago

        Yep. I wasn’t affected thankfully. Didn’t realise I was flexing, sorry. Just happy most of my stack is automated and it’s quite low maintenance at this point.

        Where do I draw the line then? Serious question. If updating every couple hours is bad, then what’s safe?

  • cheesemoo@lemmy.worldEnglish
    5·
    17 days ago

    For anyone else using SWAG, it looks like a fix is on its way but not available yet. This SWAG issue points to an upstream Alpine package dependency that needs to be updated first. Looking at the source, they just recently committed backported patches, so presumably a new version will be released soon; then the SWAG image can be updated.

  • Lemmchen@feddit.orgEnglish
    1·
    16 days ago

    I have an old Debian 11 “bullseye” installation running on one of my servers. It’s stuck at nginx 1.18.0, but it should theoretically still be covered by Debian 11 LTS security updates, right? https://wiki.debian.org/LTS/Using
    nginx/oldoldstable-security,now 1.18.0-6.1+deb11u5