kalfaoglu.net blog

In May 2026, the IETF quietly did something that email administrators have been waiting on for years: they published RFC 9989, RFC 9990, and RFC 9991 — collectively known as DMARCbis. These three documents replace RFC 7489, which has been the authoritative reference for DMARC since 2015. The headline change isn’t technical; it’s procedural. The original RFC 7489 was published as an Informational document, meaning it described what the industry was already doing, not what it was required to do. DMARCbis arrives as a Proposed Standard on the IETF Standards Track — the first formal step toward becoming an Internet Standard. In plain terms: DMARC just graduated from “strong industry recommendation” to “official protocol.” ...

If you’re running Exim on Debian or Ubuntu and haven’t patched in the past five weeks, there’s a reasonable chance your mail server is remotely exploitable by anyone who can open a TLS connection to port 25. No credentials required. No special tooling. Standard SMTP commands. CVE-2026-45185, nicknamed Dead.Letter, is a use-after-free vulnerability in Exim’s BDAT message parsing path. CVSS score: 9.8 Critical. Fixed in Exim 4.99.3, released May 12, 2026. If you haven’t checked your version since then, now would be a good time. ...

On June 4, 2026, the PHP team pushed two releases: PHP 8.4.22 and PHP 8.5.7, both routine bug-fix updates. Notice what’s missing: no 8.2 release, no 8.3 release. That’s not an oversight — it’s the lifecycle working as designed. Once a PHP branch exits active support, it receives security patches only when a qualifying CVE appears. Routine bug fixes stop. June was a bug-fix month, so 8.2 and 8.3 sat it out. ...

Apache HTTP Server 2.4.68 came out on June 8, 2026 — the first point release since 2.4.67 in early May, and per the project’s own download page, it’s “recommended over all previous releases.” If you run your own LAMP stack, this is the patch to schedule this week. What’s actually in it The public CVE list on httpd.apache.org hasn’t fully caught up to the release yet, but the individual disclosures have already landed on oss-security and in distro security trackers. Three are worth knowing about specifically. ...

Rspamd 4.1.0 dropped on June 5 — a major release tagged “recommended upgrade for all users” by the development team. There’s enough in it that’s immediately relevant to anyone running a mail server to warrant reading the changelog before blindly upgrading. The security fixes This release addresses several memory-safety issues that can be triggered by crafted incoming mail. S/MIME DoS via recursive PKCS7: A deeply nested application/pkcs7-mime message re-entered the parser without incrementing the nesting counter. In practice this means a malicious sender could craft a message that exhausts your rspamd worker’s stack. The fix gates S/MIME re-entry against the existing max_nested limit. ...

On June 3, 2026, researcher Quang Luong published a remote denial-of-service exploit called the HTTP/2 Bomb that can exhaust tens of gigabytes of server memory using nothing more than a home internet connection. The vulnerability was posted to oss-security the same day and affects nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora in their default HTTP/2 configurations. The CVE identifier CVE-2026-49975 was assigned to the Apache httpd variant. What the attack does The exploit chains two techniques, both of which have been individually documented for roughly a decade, in a way that no prior public research had combined against these servers. ...

Google and Yahoo dropped their email authentication hammer in February 2024. Microsoft watched that unfold, nodded slowly, and then did the same thing on May 5, 2025. If your domain hasn’t sorted out SPF, DKIM, and DMARC by now, a chunk of your outbound mail is already being rejected — silently, with no bounce to show for it. What Microsoft Actually Requires For anyone sending 5,000 or more messages per day to Microsoft consumer addresses (@outlook.com, @hotmail.com, @live.com), the requirements are: ...

On 5 May 2026, the Dovecot team published security advisory OXDC-2026-0002, covering five vulnerabilities fixed in OX Dovecot CE 2.4.4 (and Pro 3.1.5). If you are running Dovecot CE 2.4.3 or earlier, this is your prompt to upgrade. What’s in the advisory CVE-2026-27851 — SQL/LDAP injection via variable expansion (CVSS 7.4) The most serious of the five. When the safe filter is used in Dovecot’s variable expansion (lib-var-expand), it incorrectly treats all subsequent pipelines on the same string as safe too. The result: attacker-controlled data can bypass escaping and land unmodified in SQL or LDAP queries used for authentication. No public exploit exists yet, but CVSS 7.4 with a network attack vector and no required privileges is not something to sit on. If you cannot upgrade immediately, the workaround is to avoid the safe filter in your configuration until you can. ...

MariaDB patched CVE-2026-35549 on April 3, 2026. Seven weeks later, the fixed packages haven’t landed in the official repositories of RHEL 8, 9, and 10, Ubuntu LTS releases, or CentOS 8. If you’re running distro-packaged MariaDB and have the caching_sha2_password authentication plugin in use, your database server can be crashed by any authenticated user with a single oversized packet. What the Bug Is The vulnerability lives in the caching_sha2_password authentication plugin — MariaDB’s compatibility layer for the plugin MySQL 8.0 made default. When processing an authentication request, the plugin calls sha256_crypt_r, which allocates memory via alloca(). Unlike malloc(), alloca() grabs memory directly from the stack with no size check whatsoever. Feed it a packet that’s large enough, and the function attempts to allocate more stack space than exists, causing the server process to crash immediately. ...

If you run WHMCS and haven’t updated in the past week, stop reading and go do that first. Back? Good. Here’s what you just patched. What the Vulnerability Is On 12 May 2026, WHMCS published CVE-2026-29204 — an authorization bypass rooted in clientarea.php. The flaw is textbook IDOR (Insecure Direct Object Reference, classified as CWE-639): when a client area user submits a request that includes an addonId parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user’s addonId, and you walk straight into their services. ...