[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: what's your Debian uptime?

On Wed, 17 Apr 2013 04:02:45 -0500
Stan Hoeppner <stan@hardwarefreak.com> wrote:

> On 4/17/2013 1:10 AM, Hans-J. Ullrich wrote:
> > Am Mittwoch, 17. April 2013 schrieb Tixy:
> >> On Tue, 2013-04-16 at 22:59 -0500, Stan Hoeppner wrote:
> >>> Linux greer 3.2.6 #1 SMP Mon Feb 20 17:05:10 CST 2012 i686 GNU/Linux
> >>>
> >>>  22:35:31 up 412 days, 10:05,  1 user,  load average: 1.18, 0.97, 0.44
> >>
> >> So you are over a year behind in installing security updates for the
> >> kernel. (I know, if your machine doesn't have untrusted users and is
> >> well removed or disconnected from the internet, then that doesn't really
> >> matter).
> > 
> > This must not be so. Look, In my case I used a self compiled kernel, with very 
> > few modules. And as the only security holes have been in kernel modules, I did 
> > not compile, I needed not to install a new kernel. Those modules were just not 
> > existent. KISS-style. It makes things more secure!
> 
> I build all my server kernels from vanilla source.  Not only do I not
> use modules, but I go a step further removing module support from the
> kernel entirely.  I use SLAB instead of SLUB, and the deadline elevator.
>  I build in disk/network/etc drivers along with the firmware blob.  I do
> not use an init ramdisk.  All of my systems have a small boot partition
> holding the kernel image, config, and map.  And I use LILO.  My kernels
> are pretty lightweight, stripped of anything I can identify as unnecessary:
> 
> -rw-r--r--  1 root root 605K Feb 20  2012 System.map-3.2.6
> -rw-r--r--  1 root root  38K Feb 20  2012 config-3.2.6
> -rw-r--r--  1 root root 1.7M Feb 20  2012 vmlinuz-3.2.6
> 
> Normally I build new kernels about every 6 months, but I've been holding
> back for a bit as 3.2.6 has been working very well, and I don't want to
> get my kernel too far ahead of my userspace.  For example, the bleeding
> edge XFS kernel code doesn't particularly like many years old xfsprogs.
>  I'll probably bump up to 3.8.x after Wheezy finally ships.

Since 3.2.6, Greg KH has released at least these updates, all of which
he has accompanied with the unequivocal instructions that "All users of
the 3.2 kernel series should upgrade.":

http://lkml.org/lkml/2012/2/20/410
http://lkml.org/lkml/2012/2/29/544
http://lkml.org/lkml/2012/3/12/414
http://lkml.org/lkml/2012/3/19/450
http://lkml.org/lkml/2012/3/23/293
http://lkml.org/lkml/2012/4/2/331
http://lkml.org/lkml/2012/4/13/271
http://lkml.org/lkml/2012/4/22/123

[At this point, maintenance of the 3.2.x branch was taken over by Ben
Hutchings.]

I can see three possibilities:

A) You have carefully reviewed all the code changes in each update, and
determined that none of them apply to your configuration.

B) You disagree with Greg about the imperative nature of these updates.

C) You concede that you're running known buggy / insecure kernel code,
but you believe that your security and networking model isolates you
from any realistic possibility of exploitation.

I, too, run self-compiled vanilla sources, in a pretty stripped down
configuration, albeit not quite as spare as yours:

$ ls -l /boot | grep vmlinuz
-rw-r--r-- 1 root root 2864400 Apr  8 06:42 vmlinuz-3.2.0-0.bpo.4-amd64
-rw-r--r-- 1 root root 2000736 Apr 14 21:22 vmlinuz-3.4.40

I'm running the 3.4.x branch, and following Greg's instructions, I wind
up updating the kernel something like biweekly.

Celejar
Reply to: