-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/17/11 20:06, Pandu Poluan wrote: > > On Oct 17, 2011 6:44 PM, "Norman Rieß" <nor...@smash-net.org > <mailto:nor...@smash-net.org>> wrote: >> >> >> Hello, >> >> sorry to interrupt this thread, but this probably means, you did not >> perform any kernel updates on that machine for over two years and >> therefore the system is vulnarable to some kernel bugs which where >> discovered during this time. On a DNS machine a privilege escalation bug >> is even more severe. I strongly recommend to secure this machine. > > That depends on what Kai meant with "uptime". Maybe he meant the VMs > (he's using Xen, after all) never needs a restart, but the BIND service > still gets regular update and the consequent service-restart. >
Every Xen VM is running its own kernel and needs to be restarted or kexec'ed when this kernel is updated. If this is not the case, the VM is vulnerable to kernel bugs just as any other physical system, even if the host on which the VM is running is secure. I assume BIND is updated and restarted as needed, but that is not enough. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOnQrQAAoJEMCA6frkLT6z4hoH/ArwyLiXD548fBo4XkWzqybE ATBSl2UPnKEvk68wWjR0eYR1hNu0KmRUF40vhNW305/lnxIoNXb9KRYrTd3UkK7O USvVqs0cYt/Eh+kmpsFp+atcQcLwksskdKHfmSaaGb+VE25MDMWMebJEpfdUPGvV kuoXeAvt0U3ZLoFoT4+6U+wOFYBXz3Zqf/nA/nuJ7zH/RnGVt+2JSKhwqFsg/QoG lXNrZxEi3LIM9/S6XNC/jpJFQUW1sNbrEeqzmBDCLWNuXRxXgMoF9kuj+HKsXAB9 bnJhhlJEn89/9V3dI474tzyfJCzZSyJXXChT0Rh1xE30rVoUi2DExWbEe6HkDOY= =NlNZ -----END PGP SIGNATURE-----
