What type of hardware are you using: Old laptop or computer What YunoHost version are you running: 12.1.40 How are you able to access your server: SSH Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no
Describe your issue
Hello all…
I have been keeping up with this issue and I thought it was ok, however I got the following error:
System package ‘kernel’ is currently in version ‘6.1.0-48-amd64’, which is vulnerable to a MAJOR security issue: CVE-2026-31431, 31433, 43284 and 43500 a.k.a ‘Copy Fail’ and ‘Dirty Frag’ / CRITICAL Privilege escalations from any local user account. It is recommended to upgrade AS SOON AS POSSIBLE to version ‘{‘bookworm’: ‘6.1.170-3’, ‘trixie’: ‘6.12.86-1’}’. More infos: https://copy.fail/, GitHub - V4bel/dirtyfrag · GitHub, CVE-2026-31431, CVE-2026-31433, CVE-2026-43284, CVE-2026-43500
I did the following:
Check the WebGUI for any new updates. Nothing reported
sudo su
yunohost tools update
yunohost tools upgrade system
But it said that everything was up to date…
Is there anything else that I can do to resolve this issue. I’m concerned, but not too much, as I only have a couple of “trusted” users
Many thanks
Dj
Share relevant logs or error messages
System package ‘kernel’ is currently in version ‘6.1.0-48-amd64’, which is vulnerable to a MAJOR security issue: CVE-2026-31431, 31433, 43284 and 43500 a.k.a ‘Copy Fail’ and ‘Dirty Frag’ / CRITICAL Privilege escalations from any local user account. It is recommended to upgrade AS SOON AS POSSIBLE to version ‘{‘bookworm’: ‘6.1.170-3’, ‘trixie’: ‘6.12.86-1’}’. More infos: https://copy.fail/, GitHub - V4bel/dirtyfrag · GitHub, CVE-2026-31431, CVE-2026-31433, CVE-2026-43284, CVE-2026-43500
- crypto: scatterwalk - Backport memcpy_sglist()
- crypto: algif_aead - use memcpy_sglist() instead of null skcipher
- crypto: algif_aead - Revert to operating out-of-place (CVE-2026-31431)
- crypto: algif_aead - snapshot IV for async AEAD requests
- crypto: authenc - use memcpy_sglist() instead of null skcipher
- virtio/vsock: don't use skbuff state to account credit
- virtio/vsock: remove redundant 'skb_pull()' call
- virtio/vsock: don't drop skbuff on copy failure
- vsock/loopback: use only sk_buff_head.lock to protect the packet queue
- virtio/vsock: fix leaks due to missing skb owner
–
- hugetlb: really allocate vma lock for all sharable vmas
- [armhf] remoteproc: core: Do pm_relax when in RPROC_OFFLINE state
- device_cgroup: Roll back to original exceptions after copy failure
- drm/connector: send hotplug uevent on connector cleanup
- drm/vmwgfx: Validate the box size for the snooped cursor (CVE-2022-36280)
Hmmmffff, I think I upgraded ok but it seems I have the 6.10 kernel. Also I cannot reboot the server, it kinda stucks after i either reboot via cli and web interface and I have to switch it off manually. After switching on I see the 6.10 kernel. The yuhonost version is the 12.1.40.1….
What is going on? Run into some issues with the Nextcloud update, mentioned in another thread…maybe connected I wonder.
the reboot fixed the issue for me.
I’m not sure if I’ve overlooked it, but It would be good if the YH-Admin is somehow informed via the YH-Webadmin, that a reboot is required.
I’m just learning that, so might be wrong, but apparently the package number might not change even tho there were fixes added. Or so I understand this Debian FAQ page.
When you go to your packages page you get additional version number for it ((6.1.172-1) [security]) and if you go there to the changelog there’s information on the newest version.