7 Critical Security Patches You Need to Install Now

Keeping your systems secure is an ongoing battle. This week, major Linux distributions rolled out a wave of security updates addressing critical vulnerabilities in widely used packages. From web browsers to system libraries, these patches fix flaws that could allow remote code execution, privilege escalation, or data breaches. Below, we break down the seven most essential updates — one for each vendor — so you can prioritize your patching. Click on any vendor to jump directly to their section: AlmaLinux, Debian, Fedora, Oracle, Slackware, SUSE, Ubuntu.

1. AlmaLinux: Patching libsoup and mingw-libtiff

AlmaLinux has released updates for two packages: libsoup and mingw-libtiff. libsoup is a key HTTP client/server library used by GNOME and other desktop environments. The update addresses a security hole that could enable remote attackers to cause a denial-of-service or possibly execute arbitrary code via specially crafted HTTP responses. Meanwhile, mingw-libtiff is a MinGW cross-compiled version of the libtiff library, commonly used to handle TIFF images. Its update fixes integer overflow issues that could lead to heap buffer overflows and potential remote code execution when processing malicious image files. If you’re running AlmaLinux on servers or desktops, apply these patches immediately to protect against exploit attempts targeting these libraries.

2. Debian: Critical Fixes for Browser, Office Suite, and More

Debian’s security team has been busy with patches for apache2, chromium, lcms2, libreoffice, and prosody. The Chromium update is particularly urgent, as it fixes multiple vulnerabilities including high-severity issues in V8 and use-after-free bugs that could let attackers take control of your browser. The Apache HTTP Server update addresses a request smuggling vulnerability that might allow an attacker to bypass access restrictions. LibreOffice patches resolve code execution flaws in document parsing, while lcms2 (Little CMS) closes out-of-bounds read issues. Prosody, an XMPP server, gets a fix for a denial-of-service via malformed stanza. If you’re using Debian stable or testing, update all these packages without delay.

3. Fedora: OpenSSL and Perl-Starman Under the Microscope

Fedora has issued updates for openssl and perl-Starman. The OpenSSL update is critical: it resolves a vulnerability in the punycode decoder (CVE-2022-3602) that could cause a denial-of-service or potentially remote code execution when malicious certificates are processed. Fedora users should upgrade OpenSSL immediately to prevent TLS/SSL attacks. The perl-Starman update fixes a missing privilege separation issue. Starman is a Perl-based PSGI server used for web applications; without this patch, an attacker could gain elevated privileges. Check your Fedora system (versions 36, 37, 38) and apply updates via dnf update.

4. Oracle: Three Packages Get Security Fixes

Oracle Linux users should look out for updates to git-lfs, libsoup, and perl-XML-Parser. Git LFS (Large File Storage) had an issue that allowed a remote attacker to overwrite arbitrary files with crafted Git LFS objects, potentially leading to repository corruption or code execution. The libsoup fix is similar to AlmaLinux’s, addressing HTTP stream vulnerabilities. The perl-XML-Parser update resolves a denial-of-service vulnerability via specially crafted XML input. Oracle Linux is widely used in enterprise environments, so these patches are essential for maintaining security compliance and preventing supply chain attacks through Git repositories.

5. Slackware: libgpg, Mozilla, and PHP Patched

Slackware has released updates for libgpg, mozilla (likely Firefox and Thunderbird), and php. The libgpg update fixes a remote code execution flaw in the GPGME library that could be triggered by crafted OpenPGP packets. Mozilla patches address multiple high-severity vulnerabilities found in Firefox and Thunderbird, including memory safety bugs that could lead to arbitrary code execution. The PHP update fixes a heap buffer overflow in the PHP filter implementation, affecting any application using PHP to process user input. Slackware users should upgrade these packages via upgradepkg to ensure their systems stay secure against these active threats.

6. SUSE: A Massive Security Rollout for Enterprise Systems

SUSE has published patches for an extensive list of packages, including 389-ds, cairo, cf-cli, chromedriver, cri-tools, freeipmi, gnutls, grafana, java-11-openjdk, java-17-openjdk, jetty-minimal, and many more. High-priority updates include cairo (fixes a use-after-free in image rendering), gnutls (patches for certificate validation bypass), grafana (authentication bypass vulnerability), and thunderbird (multiple memory safety issues). The Java openjdk updates address critical remote code execution vulnerabilities. SUSE Enterprise customers should immediately review the full advisory and apply patches using zypper, especially for container-related tools like cri-tools and docker.

7. Ubuntu: From Kernel to Vim — Patches Across the Board

Ubuntu's latest security updates cover a broad spectrum: civicrm, dpkg, htmlunit, lcms2, libpng1.6, linux (kernel and cloud variants), lua5.1, nasm, opam, openexr, openjpeg2, owslib, postfix, postfixadmin, and vim. The Linux kernel updates are critical: they fix multiple vulnerabilities including a use-after-free in the io_uring subsystem and an out-of-bounds write in the i2c driver. Postfix gets a patch for a remote code execution via email handling. Vim updates address a heap buffer overflow that could be triggered by opening a malicious file. Users of Ubuntu 18.04 LTS, 20.04 LTS, and 22.04 LTS should run sudo apt update && sudo apt upgrade to secure all these packages.

Staying on top of security patches is the simplest and most effective way to defend your systems. Each of these updates addresses real, often severe vulnerabilities that attackers may already be exploiting. Make it a habit to check your distribution’s security advisories regularly, and apply patches as soon as they are available. For high-risk environments, consider automated patching solutions to ensure no critical update is missed. Stay safe out there.