linux
Safeguard articles tagged "linux" — guides, analysis, and best practices for software supply chain and application security.
14 articles
Shellshock (CVE-2014-6271) Explained: RCE Hiding in Bash Environment Variables
CVE-2014-6271, Shellshock, let attackers run commands by smuggling code into environment variables that Bash parsed as function definitions. Reachable over HTTP, DHCP, and SSH. Here is how.
Baron Samedit (CVE-2021-3156) Explained: The Sudo Root Overflow
CVE-2021-3156, Baron Samedit, is a heap overflow in sudo that gives any local user root and hid in plain sight for nearly a decade. Here is the root cause, a one-line test, and the patched version.
PwnKit (CVE-2021-4034) Explained: Root From a 12-Year-Old Polkit Bug
CVE-2021-4034, aka PwnKit, is a memory-corruption flaw in polkit's pkexec that gives any local user reliable root on nearly every Linux distribution. Here is how it works and how to close it.
The CUPS RCE chain: a postmortem of CVE-2024-47176 and friends
The September 2024 CUPS chain (CVE-2024-47176, 47076, 47175, 47177) turned a printer browsing daemon into a remote code execution vector and exposed how badly long-tail Linux daemons get patched.
regreSSHion revisited: defending against CVE-2024-6387 in 2026
How the regreSSHion race condition in OpenSSH sshd reintroduced an unauthenticated RCE on glibc Linux, what the patch trajectory looked like, and the supply chain habits it should change.
Safeguard Desktop App 1.0 Release
The Safeguard desktop application is 1.0 on macOS, Windows, and Linux. It brings the full workflow engine, Local Runner, and offline posture reviews to developers.
CUPS CVE-2024-47176: Network RCE via IPP
CVE-2024-47176 in cups-browsed lets attackers add rogue printers over UDP 631 and chain to RCE. Exploit flow, detection, and Linux distro impact.
PwnKit Five Years On: Why CVE-2021-4034 Still Lives in Production
PwnKit was a trivial local privilege escalation in polkit that affected nearly every Linux distribution for over a decade. The technical details and the residual risk in 2026.
Reproducible Builds Debian: The Long View
Debian's Reproducible Builds project has been at it for over a decade. Here's what they've learned, what still isn't reproducible, and why it matters.
Debian Repository Security: A Practical Hardening Guide
Debian APT is powerful but riddled with trust assumptions. Here is how to lock it down for production environments.
Linux Distribution Package Signing: How It Actually Works
Package signing is the backbone of Linux software distribution security. Most teams trust it blindly without understanding the verification chain they depend on.
Docker Container Escape Vulnerabilities: Techniques and Defenses
Containers are not VMs. When an attacker escapes a container, they own the host — and potentially every other container running on it. Here are the escape techniques you need to defend against.