| 1 |
I'd love to be able to kexec/kspliced from a xen host. |
| 2 |
|
| 3 |
On Oct 18, 2011, at 12:12 AM, Norman Rieß wrote: |
| 4 |
|
| 5 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 6 |
> Hash: SHA1 |
| 7 |
> |
| 8 |
> On 10/17/11 20:06, Pandu Poluan wrote: |
| 9 |
>> |
| 10 |
>> On Oct 17, 2011 6:44 PM, "Norman Rieß" <norman@×××××××××.org |
| 11 |
>> <mailto:norman@×××××××××.org>> wrote: |
| 12 |
>>> |
| 13 |
>>> |
| 14 |
>>> Hello, |
| 15 |
>>> |
| 16 |
>>> sorry to interrupt this thread, but this probably means, you did not |
| 17 |
>>> perform any kernel updates on that machine for over two years and |
| 18 |
>>> therefore the system is vulnarable to some kernel bugs which where |
| 19 |
>>> discovered during this time. On a DNS machine a privilege escalation bug |
| 20 |
>>> is even more severe. I strongly recommend to secure this machine. |
| 21 |
>> |
| 22 |
>> That depends on what Kai meant with "uptime". Maybe he meant the VMs |
| 23 |
>> (he's using Xen, after all) never needs a restart, but the BIND service |
| 24 |
>> still gets regular update and the consequent service-restart. |
| 25 |
>> |
| 26 |
> |
| 27 |
> Every Xen VM is running its own kernel and needs to be restarted or |
| 28 |
> kexec'ed when this kernel is updated. If this is not the case, the VM is |
| 29 |
> vulnerable to kernel bugs just as any other physical system, even if the |
| 30 |
> host on which the VM is running is secure. |
| 31 |
> I assume BIND is updated and restarted as needed, but that is not enough. |
| 32 |
> -----BEGIN PGP SIGNATURE----- |
| 33 |
> Version: GnuPG v2.0.17 (GNU/Linux) |
| 34 |
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 35 |
> |
| 36 |
> iQEcBAEBAgAGBQJOnQrQAAoJEMCA6frkLT6z4hoH/ArwyLiXD548fBo4XkWzqybE |
| 37 |
> ATBSl2UPnKEvk68wWjR0eYR1hNu0KmRUF40vhNW305/lnxIoNXb9KRYrTd3UkK7O |
| 38 |
> USvVqs0cYt/Eh+kmpsFp+atcQcLwksskdKHfmSaaGb+VE25MDMWMebJEpfdUPGvV |
| 39 |
> kuoXeAvt0U3ZLoFoT4+6U+wOFYBXz3Zqf/nA/nuJ7zH/RnGVt+2JSKhwqFsg/QoG |
| 40 |
> lXNrZxEi3LIM9/S6XNC/jpJFQUW1sNbrEeqzmBDCLWNuXRxXgMoF9kuj+HKsXAB9 |
| 41 |
> bnJhhlJEn89/9V3dI474tzyfJCzZSyJXXChT0Rh1xE30rVoUi2DExWbEe6HkDOY= |
| 42 |
> =NlNZ |
| 43 |
> -----END PGP SIGNATURE----- |
| 44 |
> |
Archives