Patch now.
Linux security updates dropped like bombs this Tuesday, hitting everything from kernels to that nightmare xz utils. AlmaLinux admins, your crun and kernel just got urgent bandaids. Red Hat’s flinging OpenSSL fixes across EL7 to EL9. And Mageia? They’re patching xz — yes, that xz, the backdoor darling from last year’s supply chain horror show.
It’s the usual Tuesday ritual. Distros scramble, users yawn, exploits brew in the shadows. But here’s my unique jab: this xz patch in Mageia isn’t coincidence — it’s open source’s eternal game of whack-a-mole with saboteurs. Predict this: by summer, we’ll see another “trusted maintainer” gone rogue, because vetting contributors still feels like herding cats on caffeine.
Dist. ID Release Package Date Mageia MGASA-2026-0084 9 xz 2026-04-06
That table row? Pure dread. xz, the compression lib that nearly pwned SSH daemons worldwide in 2024. Mageia says update or else.
AlmaLinux: Kernel Crutches
Short version: Update.
AlmaLinux shoved out ALSA-2026:6571 for kernel on 8, plus kernel-rt, and crun for 9 and 10. Crun’s that container runtime — think podman guts. Why care? Buffer overflows waiting to pop, probably. They’ve been quiet on details, but if you’re virtualizing, don’t dawdle. It’s RHEL-compatible land, so enterprise drones, your compliance nag just pinged.
And crun twice? Feels sloppy, like they fixed it, broke it, fixed it again. Classic.
Red Hat’s OpenSSL Onslaught
Red Hat went berserk with edk2 — that’s UEFI firmware, folks — across EL9 variants. RHSA-2026:3164-01, 2776-01, 2771-01. Firmware flaws? Boot-time ownage potential. Then OpenSSL hits: EL7’s RHSA-2026:1720-01, EL8.4’s 1475-01, EL9.0’s 1349-01.
OpenSSL. Again. The crypto Swiss Army knife everyone leans on, forever leaking like a sieve. Remember Heartbleed? This batch likely seals some side-channel or padding oracle nonsense. But Red Hat’s advisories read like legalese — zero drama, all urgency. If you’re on ancient EL7, migrate or patch, fool.
Here’s the thing. Red Hat’s patching spree screams “we test this crap religiously,” yet breaches still happen. Corporate armor? More like a screen door.
Why Is Mageia Patching Everything?
Mageia 9 got seven MGASAs. Freerdp (remote desktop, RDP holes galore), polkit-122 (privilege escalation kingpin), python-nltk, pyasn1, vim, and xz.
Vim? Text editor from hell, scripting exploits since 1991. Polkit? That gem where one bad config roots your box. And pyasn1 — ASN.1 parsing, crypto adjacencies. Mageia’s like the eccentric uncle dumping fixes weekly. Love it. Hate the fragmentation.
But xz. Oh, xz. 2024’s supply chain gut-punch, where a Microsoft dev (irony!) snuck malware via upstream commits. This patch? Probably upstream’s revenge. Mageia users, you’re first in the crosshairs — update, then brew coffee.
SUSE’s no slouch either. Avahi (Zeroconf, network discovery bait), cockpit (web console), pyOpenSSL, python311, tar across SLE-m modules. Tar? Archiving tool exploits? Who knew. Cockpit’s for remote management — prime phish target.
Ubuntu’s Kernel Fiesta
Ubuntu’s serving linux-gcp flavors for ancient 16.04/18.04 (USN-8145-3), linux-oem-6.17 (24.04), linux-realtime-6.17. Plus lambdaisland-uri-clojure? Clojure URI lib? Niche, but JVM land, beware URI parsing bombs.
And dovecot in Debian stable (DSA-6197-2) — IMAP server, email gateway to hell. Buffer issues, DoS vectors. Mail servers, you’re welcome.
Fedora’s light: calibre (ebooks?!) and nextcloud in F42/F43. Calibre’s PDF renderer — exploit playground. Nextcloud’s cloud sync, auth woes.
Why Does This Matter for Sysadmins?
Look. You’re busy. Kids, deadlines, coffee runs. But skipping patches? That’s begging for ransomware Christmas.
Kernel updates — Alma, Ubuntu — fix CVEs that pwn your ring 0. OpenSSL? Web servers crumble. xz? Supply chain ghosts haunt forever.
My bold call: Distros like Red Hat hide severity to avoid panic, but stack these — and your fleet’s a sitting duck. Historical parallel? 2016’s JBoss RCE waves, ignored patches everywhere. Don’t repeat.
Patch cadence matters. Tuesdays mean upstream CVE firehose. Automate with dnf/yum/apt, test in staging, roll out. Or hire me to yell.
SUSE’s python311 and tar? Micro-risks add up — one chain, game over.
Dry humor break: If vim needs a security patch, maybe just use nano. Nah.
Who’s Hit Hardest?
Red Hat ecosystem: edk2 + OpenSSL = firmware-to-app doom stack.
Mageia: Patch party supreme.
Enterprise? Alma/RHEL clones first.
Desktop Fedora/Ubuntu? Lighter, but kernels bite.
🧬 Related Insights
- Read more: Why This Freelancer Built an Invoicing App That Refuses to Touch the Cloud
- Read more: Uber’s Go Monorepo Nearly Killed Productivity – And How They Barely Saved It
Frequently Asked Questions
What are the latest Linux security updates for April 2026?
AlmaLinux kernel/crun, Red Hat OpenSSL/edk2, Mageia xz/vim/polkit, Ubuntu linux-gcp/oem, SUSE cockpit/tar, plus Debian dovecot, Fedora calibre/nextcloud.
Do I need to update xz on Mageia right now?
Yes. Echoes 2024 backdoor — compression lib flaws enable remote code exec in tools like SSH.
Which distros patched kernels this Tuesday?
AlmaLinux (8), Ubuntu (gcp/oem/realtime 24.04/older). Prioritize if running servers.
