I'd love to be able to kexec/kspliced from a xen host. On Oct 18, 2011, at 12:12 AM, Norman Rieß wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/17/11 20:06, Pandu Poluan wrote: >> >> On Oct 17, 2011 6:44 PM, "Norman Rieß" <[email protected] >> <mailto:[email protected]>> wrote: >>> >>> >>> Hello, >>> >>> sorry to interrupt this thread, but this probably means, you did not >>> perform any kernel updates on that machine for over two years and >>> therefore the system is vulnarable to some kernel bugs which where >>> discovered during this time. On a DNS machine a privilege escalation bug >>> is even more severe. I strongly recommend to secure this machine. >> >> That depends on what Kai meant with "uptime". Maybe he meant the VMs >> (he's using Xen, after all) never needs a restart, but the BIND service >> still gets regular update and the consequent service-restart. >> > > Every Xen VM is running its own kernel and needs to be restarted or > kexec'ed when this kernel is updated. If this is not the case, the VM is > vulnerable to kernel bugs just as any other physical system, even if the > host on which the VM is running is secure. > I assume BIND is updated and restarted as needed, but that is not enough. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.17 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJOnQrQAAoJEMCA6frkLT6z4hoH/ArwyLiXD548fBo4XkWzqybE > ATBSl2UPnKEvk68wWjR0eYR1hNu0KmRUF40vhNW305/lnxIoNXb9KRYrTd3UkK7O > USvVqs0cYt/Eh+kmpsFp+atcQcLwksskdKHfmSaaGb+VE25MDMWMebJEpfdUPGvV > kuoXeAvt0U3ZLoFoT4+6U+wOFYBXz3Zqf/nA/nuJ7zH/RnGVt+2JSKhwqFsg/QoG > lXNrZxEi3LIM9/S6XNC/jpJFQUW1sNbrEeqzmBDCLWNuXRxXgMoF9kuj+HKsXAB9 > bnJhhlJEn89/9V3dI474tzyfJCzZSyJXXChT0Rh1xE30rVoUi2DExWbEe6HkDOY= > =NlNZ > -----END PGP SIGNATURE----- >
PGP.sig
Description: This is a digitally signed message part
