On 02/23/2017 06:00 PM, Christian Boltz wrote:

Am Donnerstag, 23. Februar 2017, 13:46:51 CET schrieb Ruediger Meier:
On Thursday 23 February 2017, Carlos E. R. wrote:
What worries me is that we got 2 kernel updates in a month. Several
updates this month that require a reboot (systemd, apparmor...). Not
good for server uptime.

You DO NOT NEED to reboot after kernel update. Nowadays the old kernel
should be still installed in parallel so module loading still works
without reboot.

Yes, you can always choose to ignore a security update - but that means
that you stay vulnerable. Given that, I prefer a secure system over a
big uptime ;-)

You SHOULD reboot as soon as possible if the kernel update fixes
security bugs _and_ if you have local users which you can't trust. For
example if you run 100 workstations with 1000 users.

"Local" users is relative ;-)

For example, if you run a webserver, and one of the pages allows remote
code execution [1], a local root exploit can easily become a remote root
exploit via that exploitable page.

[1] Are you 100% sure _all_ webhosting customers always run the latest
    version of Wordpress, Typo3, Joomla, $whatever, and instantly
    upgrade when a security update gets released?
    If so, please tell me where I can find such customers ;-)

Of course you are right except that I would call the customers already local users. One of them would try out dirty cow for sure even without being hacked by someone else :)

Evergreen mailing list

Reply via email to