JM Field — Linux VM Patch Audit

2026-05-15 5 Proxmox nodes (PVE 9.1) 19 Linux systems

⚠ Critical — Patch Immediately

Summary cluster-wide Linux only — Windows VMs excluded

Pending Patches
926
across 11 systems
Security Patches
209
-security pocket / updateinfo
High-Risk Hits
103
watchlist pkgs upgradable
Kernel Pending
9
VMs awaiting reboot
EOL Systems
0
none
Heavy Backlogs (≥150)
3
VM 142, VM 9241, VM 121
Needs Reboot
3
running != installed kernel
Recently Patched
3
≤10 pending

Ubuntu / Debian — Patch Backlog red rows = kernel-pending or high-risk hits

VMIDHostnameNodeOS Upgradable Sec High-Risk PkgsFlagsTier
142MySQL-Dev-2JMFPMX02Ubuntu 24.04 LTS223apt-utils apt linux-generic linux-headers-generic +7KERNELCritical
9241aivqueue3 (external 3.241)externalUbuntu 24.04.1 LTS170apt-utils apt linux-generic linux-headers-generic +7KERNEL REBOOTCritical
122aivqueue-3.216JMFPMX01Ubuntu 22.04.4 LTS107apt linux-generic linux-headers-generic linux-image-generic +4KERNEL REBOOTHigh
130MariaDB-3.230JMFPMX05Ubuntu 22.04.4 LTS96apt-utils apt linux-generic linux-headers-generic +4KERNEL REBOOTHigh
145FreePBX-v17JMFPMX03Debian GNU/Linux 12 (bookworm)7354libssl3 linux-image-amd64 openssh-client openssh-server +1KERNELHigh
137Enhance-Backup-ServerJMFPMX03Ubuntu 24.04.4 LTS6443dpkg linux-generic linux-headers-generic linux-image-extra-virtual +3KERNELHigh
151jmfweb01JMFPMX05Ubuntu 24.04.4 LTS31systemd-dev systemd-resolved systemd-sysv systemd-timesyncd +1Medium
149claude-automationJMFPMX03Ubuntu 24.04.4 LTS44linux-headers-generic linux-headers-virtual linux-image-virtualKERNELLow
139callcenterJMFPMX03Ubuntu 24.04.4 LTS3linux-generic linux-headers-generic linux-image-genericKERNELLow

RHEL Family scanned via SSH-direct (guest-exec blacklisted)

VMIDHostnameNodeOS Sec High-Risk PkgsFlagsStatus
121aivscripttesting3.202JMFPMX02AlmaLinux 8.10 (Cerulean Leopard)108dbus dbus-common dbus-daemon dbus-libs +38KERNEL154 pending
126aivscript-3.240JMFPMX04CentOS Linux 7 (Core)1 pending
114FTP-ProductionJMFPMX02AlmaLinux 10.1 (Heliotrope Lion)Unreachable

Watchlist — Why These Packages Matter

0-Day / Active Exploits (May 2026)

  • Linux Kernel CVE-2026-31431 Dirty Frag — local user → root. Mitigation if not patched: disable esp4, esp6, rxrpc modules.
  • Container Runtimes — Copy Fail — container escape vector. Affects containerd, docker.io/docker-ce, runc, cri-o after kernel CVEs.

Privilege / Identity Boundary

  • systemd — init + service manager; flaws = full system compromise.
  • OpenSSH (sshd) — remote access; patch every minor release.
  • OpenSSL / libssl — TLS/crypto across the stack.
  • polkit / dbus — system-wide privilege handlers + IPC security.
  • glibc (libc6) — used by ~every binary; quiet but devastating.

Supply Chain

  • Package managers themselvesapt, dnf, yum, dpkg, rpm. Patched before any other update.

Verify After Patching

  • Debian/Ubuntu: cat /var/run/reboot-required
  • RHEL/Fedora: dnf needs-restarting -r
  • For 0-day kernel CVEs, prefer live-patching: Canonical Livepatch / KernelCare / Oracle Ksplice to avoid downtime.

Unreachable no patch count this run

  • VMID 114 (FTP-Production, JMFPMX02): ssh-direct 192.168.3.213:2222
  • VMID 120 (MySQL-Dev-Server-3.210, JMFPMX02): skipped (no agent)
  • VMID 123 (API-Server-3.244, JMFPMX01): skipped (no agent)
  • VMID 132 (aivtpcserver-3.217, JMFPMX04): skipped (no agent)
  • VMID 134 (pulse, JMFPMX04): pvesh-lxc-exec
  • VMID 141 (WebServer-Enhance, JMFPMX04): skipped (no agent)
  • VMID 150 (uptime-kuma, JMFPMX03): pvesh-lxc-exec

Methodology

  • Cluster-wide enumeration via pvesh get /cluster/resources --type vm
  • OS detection via QEMU guest-agent get-osinfo (Windows VMs filtered out)
  • Patch counts for Debian/Ubuntu via guest-exec apt list --upgradable / pct exec for LXC
  • RHEL family scanned via direct SSH (guest-exec disabled by default policy)
  • 11 of 19 Linux systems returned a numeric patch count this run
  • Generated automatically by /opt/jmfield-patch-audit/scripts/run-monthly.sh on JMFPMX04 monthly cron