The Update Conundrum
the.unknown-universe.co.uk
How a “kept back” Proxmox kernel left my home lab exposed to CVE‑2026‑31431 — why I now check upgradable packages and use apt full‑upgrade.

I’ve been running my home lab since 2021 and honestly thought my update routine was solid: apt update && apt upgrade, reboot, job done.

Turns out I was wrong. I was checking CVE‑2026‑31431 (Copy Fail) this morning and realised that despite my “successful” updates, I was still running a vulnerable kernel from March.

I’ve had to rethink how I handle host updates. If you’re relying on a standard upgrade and a reboot to keep Proxmox or Debian hosts safe, you might want to check if yours is lying to you as well.

    • TheIPW@lemmy.mlOP
      1·
      53 minutes ago

      No, apt isn’t just a rename. apt upgrade largely replaces apt-get upgrade, but it’s a bit more aggressive: it may install new packages if required as dependencies (it still won’t remove packages). If an upgrade needs to remove packages to resolve dependencies, use apt full-upgrade (same as apt-get dist-upgrade).

  • Pommes_für_dein_Balg@feddit.org
    41·
    5 hours ago

    I’ve been running Debian since 2007 and never understood the point of apt upgrade .
    When I update, I want the updated version for everything on my system.
    I don’t want to arbitrarily hold back packages just because a dependency changed. I’ll decide for myself if that’s an issue in my deployment. And Debian is generally very good at keeping everything running exactly the same way between releases.

    I pin the release by name (not “stable”) and then apt dist-upgrade always.

  • ShortN0te@lemmy.ml
    12·
    7 hours ago

    When a kernel update requires a change in dependencies, something Proxmox kernels do frequently, apt just quietly “keeps back” the package. It doesn’t fail, it doesn’t break the system, and it doesn’t trigger a rollback. It just waits for me to notice.

    This should save a click for hopefully everyone.

    Yes obviously, if you do not update the packages then they do not get updated.

    If you do not read the output of a command then you will not notuce that.

    • paris@lemmy.blahaj.zone
      8·
      3 hours ago

      The standard upgrade command has this behavior though, which is unexpected to people like me and the author. You need a specific flag to tell apt to actually upgrade everything which is not the behavior I expected.

  • actionjbone@sh.itjust.works
    10·
    13 hours ago

    Thanks for sharing this. I’m very confident with Linux, but I hadn’t thought about this!

    Your blog post was concise, too. I hate scrolling forever before finding the solution.

    • TheIPW@lemmy.mlOP
      5·
      13 hours ago

      Glad you found it useful. I’m the same, I can’t stand those long posts that make you read a life story before getting to the commands, even worse when a page is riddled by ads or behind a paywall!

      I figured if I’d missed it, a few other people probably had too.

  • hendrik@palaver.p3x.deEnglish
    5·
    11 hours ago

    Shouldn’t the upgrade also update the bootloader’s default entry to a new kernel? The way I’ve been doing it was apt update && apt dist-upgrade. And then reboot once every 1 to 2 years if I feel like it, am bored, or there’s all these news articles about a severe bug in the kernel.