this post was submitted on 17 Jun 2026
208 points (97.3% liked)

Fediverse

42516 readers
542 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, Mbin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 3 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world
208
FYI, blahaj.zone is down for the next few hours (pen.blahaj.zone)
submitted 1 day ago* (last edited 1 day ago) by quill7513@anarchist.nexus to c/fediverse@lemmy.world
34 comments fedilink hide all child comments
 

Blahaj.zone experienced a security breach and is handling it to properly reduce the risk of harm to their users. the current eta for their reture is in about 7 hours.

you are viewing a single comment's thread
view the rest of the comments
[–] sylver_dragon@lemmy.world 44 points 1 day ago (2 children)

Then they transfered a file to /tmp/exp which was linux kernel CVE-2026-43500, nicknamed ‘Dirty Frag’, an RxRPC local privilege escalation. I had not patched these internal servers that nobody should have access to against this.

Lessons Learned #1:
Install your patches.
"But I have a firewall!"
That is not a sufficient control.
Install.
Your.
Fucking.
Patches!

[–] moonpiedumplings@programming.dev 17 points 1 day ago (1 children)

"Just patch" is advice for a windows administrator, where updates break everything so you have to sit and baby them and apply them manually.

On Linux, there are ways to enable automatic security updates, including automatic reboots, so you can safely receive the mitigations your distro provides. That way, you don't have to worry about forgetting to patch (until the distro release becomes unmaintained, at least).

Now, dirty frag was a zero day, meaning that it was released and probably in the wild before a mitigation was pushed out to handle it. So you did need to apply an actual configuration patch... unless you had some form of kernel based isolation, which I mention as #2 of my other comment in this thread: https://programming.dev/post/52129409/24414213

[–] sylver_dragon@lemmy.world 2 points 15 hours ago

Sadly, a reluctance to install patches isn't unique to Windows administration. I worked at a site with a well functioning Satellite infrastructure and support contracts with Red Hat. And we (InfoSec) were still chasing down admins to get their shit patched. Thankfully, we had NAC and authorization to disconnect systems that feel out of compliance. Most departments got with the program pretty quick when they ignored the "please patch all critical vulnerabilities in three days' email and ended up with a "you are out of compliance and have been disconnected" email.

And Docker had made the whole Linux situation even worse. So many devs love to spin up containers, basically disable any sort of firewall, don't bother with IP filtering. Oh and let's just use passwords for ssh. Also, who needs logs? It's a container, right. So, let's disable all logging and not forward those anywhere. Then they promptly forget about the container until we run a vuln scan and find it's got half a dozen RCE vulns and have to run them down and ask why the fuck it's still running.

Linux is a much better base to build on. But bad security hygiene is still rife and still really bad for security.

[–] frongt@lemmy.zip 2 points 1 day ago

"Should" is a four-letter word in fields like safety and security.