1 |
I'd love to be able to kexec/kspliced from a xen host. |
2 |
|
3 |
On Oct 18, 2011, at 12:12 AM, Norman Rieß wrote: |
4 |
|
5 |
> -----BEGIN PGP SIGNED MESSAGE----- |
6 |
> Hash: SHA1 |
7 |
> |
8 |
> On 10/17/11 20:06, Pandu Poluan wrote: |
9 |
>> |
10 |
>> On Oct 17, 2011 6:44 PM, "Norman Rieß" <norman@×××××××××.org |
11 |
>> <mailto:norman@×××××××××.org>> wrote: |
12 |
>>> |
13 |
>>> |
14 |
>>> Hello, |
15 |
>>> |
16 |
>>> sorry to interrupt this thread, but this probably means, you did not |
17 |
>>> perform any kernel updates on that machine for over two years and |
18 |
>>> therefore the system is vulnarable to some kernel bugs which where |
19 |
>>> discovered during this time. On a DNS machine a privilege escalation bug |
20 |
>>> is even more severe. I strongly recommend to secure this machine. |
21 |
>> |
22 |
>> That depends on what Kai meant with "uptime". Maybe he meant the VMs |
23 |
>> (he's using Xen, after all) never needs a restart, but the BIND service |
24 |
>> still gets regular update and the consequent service-restart. |
25 |
>> |
26 |
> |
27 |
> Every Xen VM is running its own kernel and needs to be restarted or |
28 |
> kexec'ed when this kernel is updated. If this is not the case, the VM is |
29 |
> vulnerable to kernel bugs just as any other physical system, even if the |
30 |
> host on which the VM is running is secure. |
31 |
> I assume BIND is updated and restarted as needed, but that is not enough. |
32 |
> -----BEGIN PGP SIGNATURE----- |
33 |
> Version: GnuPG v2.0.17 (GNU/Linux) |
34 |
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
35 |
> |
36 |
> iQEcBAEBAgAGBQJOnQrQAAoJEMCA6frkLT6z4hoH/ArwyLiXD548fBo4XkWzqybE |
37 |
> ATBSl2UPnKEvk68wWjR0eYR1hNu0KmRUF40vhNW305/lnxIoNXb9KRYrTd3UkK7O |
38 |
> USvVqs0cYt/Eh+kmpsFp+atcQcLwksskdKHfmSaaGb+VE25MDMWMebJEpfdUPGvV |
39 |
> kuoXeAvt0U3ZLoFoT4+6U+wOFYBXz3Zqf/nA/nuJ7zH/RnGVt+2JSKhwqFsg/QoG |
40 |
> lXNrZxEi3LIM9/S6XNC/jpJFQUW1sNbrEeqzmBDCLWNuXRxXgMoF9kuj+HKsXAB9 |
41 |
> bnJhhlJEn89/9V3dI474tzyfJCzZSyJXXChT0Rh1xE30rVoUi2DExWbEe6HkDOY= |
42 |
> =NlNZ |
43 |
> -----END PGP SIGNATURE----- |
44 |
> |