1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 10/17/11 20:06, Pandu Poluan wrote: |
5 |
> |
6 |
> On Oct 17, 2011 6:44 PM, "Norman Rieß" <norman@×××××××××.org |
7 |
> <mailto:norman@×××××××××.org>> wrote: |
8 |
>> |
9 |
>> |
10 |
>> Hello, |
11 |
>> |
12 |
>> sorry to interrupt this thread, but this probably means, you did not |
13 |
>> perform any kernel updates on that machine for over two years and |
14 |
>> therefore the system is vulnarable to some kernel bugs which where |
15 |
>> discovered during this time. On a DNS machine a privilege escalation bug |
16 |
>> is even more severe. I strongly recommend to secure this machine. |
17 |
> |
18 |
> That depends on what Kai meant with "uptime". Maybe he meant the VMs |
19 |
> (he's using Xen, after all) never needs a restart, but the BIND service |
20 |
> still gets regular update and the consequent service-restart. |
21 |
> |
22 |
|
23 |
Every Xen VM is running its own kernel and needs to be restarted or |
24 |
kexec'ed when this kernel is updated. If this is not the case, the VM is |
25 |
vulnerable to kernel bugs just as any other physical system, even if the |
26 |
host on which the VM is running is secure. |
27 |
I assume BIND is updated and restarted as needed, but that is not enough. |
28 |
-----BEGIN PGP SIGNATURE----- |
29 |
Version: GnuPG v2.0.17 (GNU/Linux) |
30 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
31 |
|
32 |
iQEcBAEBAgAGBQJOnQrQAAoJEMCA6frkLT6z4hoH/ArwyLiXD548fBo4XkWzqybE |
33 |
ATBSl2UPnKEvk68wWjR0eYR1hNu0KmRUF40vhNW305/lnxIoNXb9KRYrTd3UkK7O |
34 |
USvVqs0cYt/Eh+kmpsFp+atcQcLwksskdKHfmSaaGb+VE25MDMWMebJEpfdUPGvV |
35 |
kuoXeAvt0U3ZLoFoT4+6U+wOFYBXz3Zqf/nA/nuJ7zH/RnGVt+2JSKhwqFsg/QoG |
36 |
lXNrZxEi3LIM9/S6XNC/jpJFQUW1sNbrEeqzmBDCLWNuXRxXgMoF9kuj+HKsXAB9 |
37 |
bnJhhlJEn89/9V3dI474tzyfJCzZSyJXXChT0Rh1xE30rVoUi2DExWbEe6HkDOY= |
38 |
=NlNZ |
39 |
-----END PGP SIGNATURE----- |