Safeguard
Tag

linux

Safeguard articles tagged "linux" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Vulnerability Analysis

Shellshock (CVE-2014-6271) Explained: RCE Hiding in Bash Environment Variables

CVE-2014-6271, Shellshock, let attackers run commands by smuggling code into environment variables that Bash parsed as function definitions. Reachable over HTTP, DHCP, and SSH. Here is how.

Jul 5, 20265 min read
Vulnerability Analysis

Baron Samedit (CVE-2021-3156) Explained: The Sudo Root Overflow

CVE-2021-3156, Baron Samedit, is a heap overflow in sudo that gives any local user root and hid in plain sight for nearly a decade. Here is the root cause, a one-line test, and the patched version.

Jul 4, 20266 min read
Vulnerability Analysis

PwnKit (CVE-2021-4034) Explained: Root From a 12-Year-Old Polkit Bug

CVE-2021-4034, aka PwnKit, is a memory-corruption flaw in polkit's pkexec that gives any local user reliable root on nearly every Linux distribution. Here is how it works and how to close it.

Jul 1, 20265 min read
Vulnerability Management

The CUPS RCE chain: a postmortem of CVE-2024-47176 and friends

The September 2024 CUPS chain (CVE-2024-47176, 47076, 47175, 47177) turned a printer browsing daemon into a remote code execution vector and exposed how badly long-tail Linux daemons get patched.

May 12, 20266 min read
Vulnerability Management

regreSSHion revisited: defending against CVE-2024-6387 in 2026

How the regreSSHion race condition in OpenSSH sshd reintroduced an unauthenticated RCE on glibc Linux, what the patch trajectory looked like, and the supply chain habits it should change.

May 12, 20266 min read
Product

Safeguard Desktop App 1.0 Release

The Safeguard desktop application is 1.0 on macOS, Windows, and Linux. It brings the full workflow engine, Local Runner, and offline posture reviews to developers.

Mar 6, 20267 min read
Vulnerability Analysis

CUPS CVE-2024-47176: Network RCE via IPP

CVE-2024-47176 in cups-browsed lets attackers add rogue printers over UDP 631 and chain to RCE. Exploit flow, detection, and Linux distro impact.

Feb 6, 20267 min read
Vulnerability Analysis

PwnKit Five Years On: Why CVE-2021-4034 Still Lives in Production

PwnKit was a trivial local privilege escalation in polkit that affected nearly every Linux distribution for over a decade. The technical details and the residual risk in 2026.

Feb 3, 20265 min read
DevSecOps

Reproducible Builds Debian: The Long View

Debian's Reproducible Builds project has been at it for over a decade. Here's what they've learned, what still isn't reproducible, and why it matters.

Dec 20, 20248 min read
Infrastructure Security

Debian Repository Security: A Practical Hardening Guide

Debian APT is powerful but riddled with trust assumptions. Here is how to lock it down for production environments.

Oct 12, 20226 min read
Supply Chain Security

Linux Distribution Package Signing: How It Actually Works

Package signing is the backbone of Linux software distribution security. Most teams trust it blindly without understanding the verification chain they depend on.

Jun 12, 20227 min read
Container Security

Docker Container Escape Vulnerabilities: Techniques and Defenses

Containers are not VMs. When an attacker escapes a container, they own the host — and potentially every other container running on it. Here are the escape techniques you need to defend against.

May 12, 20226 min read
linux — Safeguard Blog