this post was submitted on 14 May 2026
118 points (100.0% liked)

Selfhosted

60093 readers
918 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
118
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE (thehackernews.com)
submitted 1 month ago* (last edited 1 month ago) by eager_eagle@lemmy.world to c/selfhosted@lemmy.world
15 comments fedilink hide all child comments
 

Update your nginx instances

cross-posted from: https://lemmy.world/post/46851448

CVE - Common Vulnerabilities and Exposures system
RCE - Remote Code Execution
PoC - Proof of Concept

top 15 comments
sorted by: hot top controversial new old
[–] K3can@lemmy.radio 12 points 1 month ago

Seems to be specific to rewrites using an un-named capture.

grep -rnE "\$[0-9.*].*\?" /etc/ngnix

should show if you have any potentially vulnerable directives in your config.

[–] skankhunt42@lemmy.ca 11 points 1 month ago (2 children)

It's days like this where I'm happy I'm unemployed. I have a group chat with a few friends and they're pushing out patches and it's a bit of a rush.

All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It's rare I need to step in and fix something. I checked a few hours ago and I'm not at risk.

[–] GreenKnight23@lemmy.world 11 points 1 month ago (1 children)

All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It's rare I need to step in and fix something. I checked a few hours ago and I'm not at risk.

not the flex you think it is.

didn't npm have a worm problem a few days ago?

[–] skankhunt42@lemmy.ca 5 points 1 month ago (3 children)

Yep. I wasn't affected thankfully. Didn't realise I was flexing, sorry. Just happy most of my stack is automated and it's quite low maintenance at this point.

Where do I draw the line then? Serious question. If updating every couple hours is bad, then what's safe?

[–] GreenKnight23@lemmy.world 3 points 1 month ago

for corporate services we do every 30 days. which is standard. emergency patches get direct support and resolved quickly.

[–] JaddedFauceet@lemmy.world 2 points 1 month ago

idk, also it is not about the frequency you update, it is usually about how long has it been since package is published to the internet

see concept of min release age https://pnpm.io/blog/releases/10.16

i wonder if other package manager have similar thing or not

[–] pinhead77@piefed.social 1 points 1 month ago* (last edited 1 month ago)

You can use pnpm instead of npm. pnpm has a "Delay dependency updates" feature where you can install package versions that are x old only.
See https://pnpm.io/supply-chain-security#delay-dependency-updates

Edit: I just found out, that this can also be specified in npm and yarn: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104

[–] motruck@lemmy.zip 2 points 1 month ago (1 children)

Your friends should do a PoC before they rush to fix random bugs that ostensibly have a high severity.

[–] motruck@lemmy.zip 2 points 1 month ago

You should tell that on your group chat. Motruck says you need to slow down and stop jumping at high severity but low exploitabile trash.

[–] Nighed@feddit.uk 7 points 1 month ago (1 children)

Apparently not a massive deal? (I don't know, just linking someone who seems to have a clue)

https://cyberplace.social/@GossiTheDog/116578019563133410

[–] eager_eagle@lemmy.world 1 points 1 month ago

good to know!

[–] cheesemoo@lemmy.world 6 points 1 month ago

For anyone else using SWAG, it looks like a fix is on its way but not available yet. This SWAG issue points to an upstream Alpine package dependency that needs to be updated first. Looking at the source, they just recently committed backported patches, so presumably a new version will be released soon; then the SWAG image can be updated.

[–] Lemmchen@feddit.org 3 points 1 month ago* (last edited 1 month ago) (1 children)

I have an old Debian 11 "bullseye" installation running on one of my servers. It's stuck at nginx 1.18.0, but it should theoretically still be covered by Debian 11 LTS security updates, right? https://wiki.debian.org/LTS/Using
nginx/oldoldstable-security,now 1.18.0-6.1+deb11u5

[–] Decronym@lemmy.decronym.xyz 2 points 1 month ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
LTS Long Term Support software version
nginx Popular HTTP server

2 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #290 for this comm, first seen 15th May 2026, 02:30] [FAQ] [Full list] [Contact] [Source code]