We are pleased to announce that 4 weeks ago we released new updates for NethServer 8, introducing important fixes and significant hardening designed to further reduce the system’s attack surface.
Upcoming Security Bulletin
Transparency is a core value of our project. On April 14th, we will publish a detailed Security Bulletin regarding these improvements.
Context & Perimeter
These updates are the result of a private penetration test performed on a specific installation of the NethSecurity Controller.
Proactive Fixes: During this assessment, a potential vulnerability was identified. We have successfully patched this flaw before any exploitation could occur.
Core Hardening: We took this opportunity to go beyond the specific finding, implementing a broader hardening of the NethServer 8 Core to strengthen the foundation of the entire ecosystem.
No Security Incidents: We want to clearly reassure our community that no incidents or breaches have occurred. These measures are entirely proactive.
The upcoming bulletin will clearly define the scope of the testing and the logic behind the fixes. We have carefully evaluated the information being shared; we believe that providing this clarity does not grant an advantage to potential attackers. Instead, it empowers our users with the knowledge needed to maintain a secure environment.
Minimum versions and verification
If automatic updates are enabled, systems are already protected. Below are the references to manually verify installed versions.
To be protected, ensure you are running the following versions (released starting from February 27, 2026) or later:
core: 3.18.3
nethsecurity-controller: 2.1.6
metrics: 1.2.4
How to check:
Go to the Applications page and filter by name to view module versions.
The core version of each node is visible by clicking the Core applications button.
How to update
Updates can be managed from the Software Center, more details in the manual
Thanks for the heads up, I do not see nethsecurity-controller being part of the core applications?
ps. Taking another look at core applications, it seems that some modules that can be installed, are becoming part of core applications if they are installed. Maybe it is just me, but I always thought that core applications are only the applications that are installed at initial installation time to run a basic NS8 server. So now the ‘basic’ core set of applications may vary from system to system. Is that not confusing? (feel free to split my remarks into a seperate topic).
Indeed, hence my remarks above. NS8 Core applications can be a dynamic set and not a fixed set, where I thought that the core applications is a fixed and essential set of a basic NS8 server. All other apps that can be installed via software center are apps/modules, not part of the fixed core set.