The linux news lately has been full of reports on the new malware ‘zero day’ danger due to root privilege escalation vulnerability arising from a kernel flaw with algif_aead. But there’s no mention on the forum here??
So I did some research. Debian 12 supposedly has a fixed kernel patch now. Although I have hestia set to auto update, it doesn’t update the actual os. So to update the kernel, I ran:
sudo apt update
sudo apt install --only-upgrade linux-image-amd64 linux-headers-amd64
sudo reboot
But in testing the result with:
uname -r
I got: 6.1.0-45-amd64
But that’s still an old kernel version, for safety, it’s supposed to be a minimum of: 6.1.170-1
I repeated it all, same result.
I suppose I could try to update the entire OS, with:
sudo apt update
sudo apt upgrade
BUT I’m worried if that might make problems with the server? I currently have Debian 12.13 (x86_64)
You should do it daily.
Make sure you have the security repo added to your /etc/apt/sources.list file.
deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware
When you log into your Debian 12 server, the first line will display
6.1.0-45-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.170-1 (2026-04-30) x86_64
so you know you’re updated.
Thank you much for that line on that security repo, which I added to my /etc/apt/sources.list file.
I ran:
apt update
But I get:
Err:2 https://packages.sury.org/php bookworm InRelease
The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]>
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php bookworm InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]>
W: Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]>
W: Some index files failed to download. They have been ignored, or old ones used instead.
I went ahead with
apt upgrade
But I got 100s of errors, such as:
Err:39 https://packages.sury.org/php bookworm/main amd64 php8.3-bz2 amd64 8.3.30-1+0~20260118.75+debian12~1.gbpa91a19
404 Not Found [IP: 146.75.79.52 443]
[0mFailed to fetch https://packages.sury.org/php/pool/main/p/php8.3/php8.3-bcmath_8.3.30-1%2b0%7e20260118.75%2bdebian12%7e1.gbpa91a19_amd64.deb 404 Not Found [IP: 146.75.79.52 443] [0m
I rebooted and to check the kernel, ran:
uname -r
result: 6.1.0-45-amd64, which is still the OLD, unsafe kernel
So it seems that the list of where to get packages is wrong or incomplete. Any way to change that? Thanks much in advance.
Show the output of:
uname -a
That issue is not related to the security debian repo. So looks like you have not upgraded your OS since 2 years ago…
curl -sSlo /usr/share/keyrings/sury-keyring.gpg https://packages.sury.org/php/apt.gpg
curl -sSlo /usr/share/keyrings/apache2-keyring.gpg https://packages.sury.org/apache2/apt.gpg
Once done apt update again.
If no errors, apt upgrade (if apt asks to replace existing conf for any package, answer always keep the current conf).
All that went perfectly with no errors. Thanks!
The uname –a gives:
Linux [MY Hostname] 6.1.0-45-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.170-1 (2026-04-30) x86_64 GNU/Linux
So as I understand it, that does mean I’m up to date now and protected from the “Copy Fail” (algif_aead) bug, correct?
I should look into setting up a script to auto update my server.
Thanks once again. Amazing help.
Correct
Do this as Sahsanu suggested earlier. 
I’m glad it worked. You’re welcome.
Yes, that’s correct.
You can install and configure unattended upgrades:
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
Does this not auto configure/override any user set changes, say to “exim/ssh” etc? Someone in another forum was suggesting avoiding it, where one has user intervened the setups.
By default it doesn’t replace modified config files.