Selfhosted

60093 readers

1118 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.
Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 7 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

118

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE (thehackernews.com)

submitted 1 month ago* (last edited 1 month ago) by eager_eagle@lemmy.world to c/selfhosted@lemmy.world

15 comments fedilink hide all child comments

Update your nginx instances

cross-posted from: https://lemmy.world/post/46851448

Affected an non-affected versions https://nginx.org/en/security_advisories.html
CVE record https://www.cve.org/CVERecord?id=CVE-2026-42945
CVE details https://nvd.nist.gov/vuln/detail/CVE-2026-42945
PoC https://github.com/DepthFirstDisclosures/Nginx-Rift

CVE - Common Vulnerabilities and Exposures system
RCE - Remote Code Execution
PoC - Proof of Concept

you are viewing a single comment's thread
view the rest of the comments

[–] skankhunt42@lemmy.ca 11 points 1 month ago (7 children)

It's days like this where I'm happy I'm unemployed. I have a group chat with a few friends and they're pushing out patches and it's a bit of a rush.

All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It's rare I need to step in and fix something. I checked a few hours ago and I'm not at risk.

[–] GreenKnight23@lemmy.world 11 points 1 month ago (4 children)

All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It's rare I need to step in and fix something. I checked a few hours ago and I'm not at risk.

not the flex you think it is.

didn't npm have a worm problem a few days ago?

[–] skankhunt42@lemmy.ca 5 points 1 month ago (3 children)

Yep. I wasn't affected thankfully. Didn't realise I was flexing, sorry. Just happy most of my stack is automated and it's quite low maintenance at this point.

Where do I draw the line then? Serious question. If updating every couple hours is bad, then what's safe?

[–] pinhead77@piefed.social 1 points 1 month ago* (last edited 1 month ago)

You can use pnpm instead of npm. pnpm has a "Delay dependency updates" feature where you can install package versions that are x old only.
See https://pnpm.io/supply-chain-security#delay-dependency-updates

Edit: I just found out, that this can also be specified in npm and yarn: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104

load more comments (2 replies)

load more comments (4 replies)