The Update Conundrum
the.unknown-universe.co.uk
How a “kept back” Proxmox kernel left my home lab exposed to CVE‑2026‑31431 — why I now check upgradable packages and use apt full‑upgrade.

I’ve been running my home lab since 2021 and honestly thought my update routine was solid: apt update && apt upgrade, reboot, job done.

Turns out I was wrong. I was checking CVE‑2026‑31431 (Copy Fail) this morning and realised that despite my “successful” updates, I was still running a vulnerable kernel from March.

I’ve had to rethink how I handle host updates. If you’re relying on a standard upgrade and a reboot to keep Proxmox or Debian hosts safe, you might want to check if yours is lying to you as well.

  • Pommes_für_dein_Balg@feddit.org
    82·
    2 days ago

    I’ve been running Debian since 2007 and never understood the point of apt upgrade .
    When I update, I want the updated version for everything on my system.
    I don’t want to arbitrarily hold back packages just because a dependency changed. I’ll decide for myself if that’s an issue in my deployment. And Debian is generally very good at keeping everything running exactly the same way between releases.

    I pin the release by name (not “stable”) and then apt dist-upgrade always.