Security

CVE-2025-12183 affects lz4-java 1.8.0, which has out-of-bounds memory operations. The fix exists in version 1.8.1, but the original maintainer at org.lz4:lz4-java did not release it. Instead, Sonatype redirects requests for org.lz4:lz4-java:1.8.1 to a fork at at.yawk.lz4:lz4-java:1.8.1. This creates a problem: both artifacts declare the same capability (org.lz4:lz4-java), causing Gradle to fail with a capability conflict when both end up on the classpath through transitive dependencies. The Problem When a library changes ownership or is forked to a new Maven coordinate, you cannot simply bump the version number. The old coordinate stops receiving updates, and the new coordinate is technically a different artifact. If any transitive dependency still pulls in the old coordinate, Gradle sees two artifacts claiming the same capability and fails. ...

Linkerd provides automatic mTLS between all pods in the mesh. This encrypts traffic and provides identity verification. However, it does not restrict which pods can communicate with each other. Any pod in the mesh can connect to any other pod. Kubernetes NetworkPolicies add an additional layer of security by defining explicit allow rules at the network level. This provides defense-in-depth: if Linkerd’s proxy is somehow bypassed, NetworkPolicies still enforce access control. ...

OPNsense includes Suricata for intrusion detection, but the built-in alerts page provides limited visibility. This post covers forwarding IDS alerts to Loki via syslog and visualizing them in Grafana alongside firewall logs. Architecture ┌─────────────────┐ UDP/514 ┌──────────────────┐ │ OPNsense │ RFC5424 │ Promtail │ │ ┌───────────┐ │ ───────────────▶ │ (syslog recv) │ │ │ Suricata │ │ │ 192.168.2.221 │ │ │ filterlog │ │ └────────┬─────────┘ │ └───────────┘ │ │ └─────────────────┘ ▼ ┌──────────────────┐ │ Loki │ │ (log storage) │ └────────┬─────────┘ │ ▼ ┌──────────────────┐ │ Grafana │ │ (dashboards) │ └──────────────────┘ Prerequisites OPNsense firewall with Suricata IDS enabled Kubernetes cluster with Loki deployed MetalLB or NodePort for exposing the syslog receiver Step 1: Enable Suricata IDS on OPNsense Navigate to Services → Intrusion Detection → Administration. ...

Certificates expire. In a Kubernetes homelab with Linkerd service mesh, this means the identity issuer certificate needs renewal annually. Without automation, this becomes a manual task that’s easy to forget until mTLS breaks across the cluster. This post covers installing cert-manager on a bare-metal kubeadm cluster and configuring it to automatically rotate Linkerd’s identity issuer certificate. The Problem Linkerd uses a two-tier PKI: Certificate Purpose Default Lifetime Trust Anchor Root CA for the mesh 10 years Identity Issuer Signs proxy certificates 1 year The identity issuer expires annually. When it does, new proxy sidecars cannot obtain valid certificates, breaking mTLS. The trust anchor rarely needs rotation, but the identity issuer requires attention. ...

If you’re running a homelab with multiple network segments, there’s a good chance you have at least one machine connected to more than one network. Maybe your workstation has a wired connection to your DMZ and wireless to your trusted WLAN. Convenient? Yes. A potential security hole? Also yes. The Problem My workstation sits on two networks: wireless connected to my home WLAN (192.168.3.0/24) and wired into my DMZ (192.168.4.0/24). The DMZ is intentionally isolated—it’s where I run services exposed to the internet. The WLAN is where everything else lives: personal devices, management interfaces, the stuff I actually care about protecting. ...