Kubernetes 1.33 EOL: 27 days to upgrade
Kubernetes 1.33 reaches end of life on June 28. No more security patches after that date. If you're on 1.33 or older, you have 27 days to act.
Hot Takes
Fast and opinionated when something ships that deserves a reaction.
Proxmox VE 9.2: Load Balancing and WireGuard
Proxmox VE 9.2 ships a cluster-wide load balancer, native WireGuard SDN, and BGP/EVPN route maps on Debian 13.5 and kernel 7.0.
GitHub banned a researcher. They were not wrong to.
GitHub banned Nightmare-Eclipse for publishing six unpatched Windows zero-days without coordination. The security community is angry. I think GitHub made the right call — and the debate we should be having is different from the one we are having.
You Can't Patch Your Way Out of Copilot Cowork
PromptArmor achieved 5/5 file exfiltration from M365 tenants via Copilot Cowork with no CVE assigned — because the flaw is in the architecture, not the code.
nginx patches buffer overflow in rewrite module, CVE-2026-9256
CVE-2026-9256: buffer overflow in the nginx rewrite module affects all versions to 1.31.0. Fixed in 1.30.2 stable and 1.31.1 mainline. Apply now.
OpenTelemetry graduates in CNCF -- the debate is over
OpenTelemetry graduated in CNCF on May 21 — 12,000+ contributors, second-highest velocity. The debate about standardizing on OTel is now settled.
shell-quote CVE-2026-9277: newline slips past regex
shell-quote 1.8.4 fixes CVE-2026-9277 (CVSS 8.1): a newline in a .op token bypasses escaping because JavaScript's /(.)/g does not match line terminators.
OpenBSD 7.9: heterogeneous CPU scheduling and socket splicing
OpenBSD 7.9 adds P/E-core-aware scheduling and unlocked socket splicing for multi-core throughput. The 60th release of the most security-focused BSD.
HAProxy HTTP/3 parser lets one empty packet smuggle requests
CVE-2026-33555: HAProxy HTTP/3 parser skips body size validation on stream close. One zero-byte QUIC DATA frame enables request smuggling. Patch via DSA-6291.
HPLIP CVE-2026-8631: unauthenticated RCE via printer driver
HPLIP 3.26.4 patches CVE-2026-8631 (CVSS 9.3): unauthenticated remote command injection via the HP printer driver daemon. No interaction required — update now.
OpenVPN patches handshake data leak and denial of service
OpenVPN 2.6.14 patches two unauthenticated CVEs: a DoS via malformed packet and a handshake data leak. Debian DSA-6289-1 covers Bookworm and Trixie.
Apache OFBiz: auth bypass to RCE, default password still ships
CVE-2026-45434 (CVSS 9.8) in Apache OFBiz chains auth bypass to Groovy RCE. Default password 'ofbiz' ships on 10+ demo accounts. Fixed in 24.09.06.
Twig sandbox bypassed via a single quote in template name
CVE-2026-46633 in Twig lets a single quote in a template name inject arbitrary PHP into the cache file. Twig sandbox does not block it. Fixed in Twig 3.26.0.
Forge: guardrails that make small models reliable
Forge adds guardrails to local LLM tool-calling in Python. Lifts an 8B model from ~32% to 84% on its eval suite — no model swap, just a reliability wrapper.
BIND 9 patches six CVEs, DNS resolvers in the crosshairs
BIND 9 patches six CVEs on May 20. CVE-2026-5950 lets unauthenticated remote attackers exhaust resolver memory. Update to 9.18.49, 9.20.23, or 9.21.22.
rsync 3.4.3 patches six CVEs, two reachable without daemon mode
rsync 3.4.3 fixes six CVEs released May 20. CVE-2026-43618 (CVSS 8.1) leaks client memory from any pull against a malicious server -- no daemon config required.
Rmux: a scriptable terminal built in Rust
Rmux is a Rust-built terminal multiplexer with a typed SDK for scripting and automating CLI and TUI apps — like tmux, but with a Playwright-style async API.
Kubernetes 1.36: Mixed Version Proxy is beta and on by default
Mixed Version Proxy is now beta and on by default in Kubernetes 1.36. It prevents silent 404s that can trigger GC during rolling control plane upgrades.
etcd 3.7 beta: RangeStream in, v2 store out for good
etcd 3.7 beta brings RangeStream for large key-range queries and permanently removes the v2 API. etcd 3.4 is EOL. What to test before the stable release.
Evince and Atril: opening a PDF can run arbitrary code on Linux
Evince and Atril have an argument injection bug in ev_spawn(). Opening a crafted PDF on GNOME or MATE runs arbitrary code. No patch — avoid untrusted PDFs.
CVE-2026-46680: containerd patched across all active branches
CVE-2026-46680 patched across all four active containerd branches on May 20. Pick up 2.3.1, 2.2.4, 2.0.9, or 1.7.32 depending on which branch you run.
SLSA signatures did not save you from Shai Hulud
Over 160 npm packages were backdoored with valid SLSA Build Level 3 attestations. The trust model for GitHub Actions is broken -- here is what to fix.
arXiv Bans Authors for AI-Hallucinated Citations
arXiv now bans authors for one year if their paper contains AI-hallucinated citations. After the ban, every submission requires prior peer review. The model is not responsible. You are.
ingress-nginx is EOL: half your clusters are unpatched
ingress-nginx went EOL in March 2026. No security patches, no CVE fixes. 50% of Kubernetes clusters still run it. Time to move to Gateway API.
Your pipeline skills are not your identity
The shift to internal developer platforms and AIOps is real. The reason DevOps engineers are angry about it is worth looking at honestly.
Cursor is fine, but it's not the terminal
AI editors are useful. They are not a replacement for knowing what you are doing at the prompt. The terminal is where things work when something breaks.