| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 10/17/11 20:06, Pandu Poluan wrote: |
| 5 |
> |
| 6 |
> On Oct 17, 2011 6:44 PM, "Norman Rieß" <norman@×××××××××.org |
| 7 |
> <mailto:norman@×××××××××.org>> wrote: |
| 8 |
>> |
| 9 |
>> |
| 10 |
>> Hello, |
| 11 |
>> |
| 12 |
>> sorry to interrupt this thread, but this probably means, you did not |
| 13 |
>> perform any kernel updates on that machine for over two years and |
| 14 |
>> therefore the system is vulnarable to some kernel bugs which where |
| 15 |
>> discovered during this time. On a DNS machine a privilege escalation bug |
| 16 |
>> is even more severe. I strongly recommend to secure this machine. |
| 17 |
> |
| 18 |
> That depends on what Kai meant with "uptime". Maybe he meant the VMs |
| 19 |
> (he's using Xen, after all) never needs a restart, but the BIND service |
| 20 |
> still gets regular update and the consequent service-restart. |
| 21 |
> |
| 22 |
|
| 23 |
Every Xen VM is running its own kernel and needs to be restarted or |
| 24 |
kexec'ed when this kernel is updated. If this is not the case, the VM is |
| 25 |
vulnerable to kernel bugs just as any other physical system, even if the |
| 26 |
host on which the VM is running is secure. |
| 27 |
I assume BIND is updated and restarted as needed, but that is not enough. |
| 28 |
-----BEGIN PGP SIGNATURE----- |
| 29 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 30 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 31 |
|
| 32 |
iQEcBAEBAgAGBQJOnQrQAAoJEMCA6frkLT6z4hoH/ArwyLiXD548fBo4XkWzqybE |
| 33 |
ATBSl2UPnKEvk68wWjR0eYR1hNu0KmRUF40vhNW305/lnxIoNXb9KRYrTd3UkK7O |
| 34 |
USvVqs0cYt/Eh+kmpsFp+atcQcLwksskdKHfmSaaGb+VE25MDMWMebJEpfdUPGvV |
| 35 |
kuoXeAvt0U3ZLoFoT4+6U+wOFYBXz3Zqf/nA/nuJ7zH/RnGVt+2JSKhwqFsg/QoG |
| 36 |
lXNrZxEi3LIM9/S6XNC/jpJFQUW1sNbrEeqzmBDCLWNuXRxXgMoF9kuj+HKsXAB9 |
| 37 |
bnJhhlJEn89/9V3dI474tzyfJCzZSyJXXChT0Rh1xE30rVoUi2DExWbEe6HkDOY= |
| 38 |
=NlNZ |
| 39 |
-----END PGP SIGNATURE----- |
Archives