On Wed, 17 Apr 2013 04:02:45 -0500 Stan Hoeppner <s...@hardwarefreak.com> wrote:
> On 4/17/2013 1:10 AM, Hans-J. Ullrich wrote: > > Am Mittwoch, 17. April 2013 schrieb Tixy: > >> On Tue, 2013-04-16 at 22:59 -0500, Stan Hoeppner wrote: > >>> Linux greer 3.2.6 #1 SMP Mon Feb 20 17:05:10 CST 2012 i686 GNU/Linux > >>> > >>> 22:35:31 up 412 days, 10:05, 1 user, load average: 1.18, 0.97, 0.44 > >> > >> So you are over a year behind in installing security updates for the > >> kernel. (I know, if your machine doesn't have untrusted users and is > >> well removed or disconnected from the internet, then that doesn't really > >> matter). > > > > This must not be so. Look, In my case I used a self compiled kernel, with > > very > > few modules. And as the only security holes have been in kernel modules, I > > did > > not compile, I needed not to install a new kernel. Those modules were just > > not > > existent. KISS-style. It makes things more secure! > > I build all my server kernels from vanilla source. Not only do I not > use modules, but I go a step further removing module support from the > kernel entirely. I use SLAB instead of SLUB, and the deadline elevator. > I build in disk/network/etc drivers along with the firmware blob. I do > not use an init ramdisk. All of my systems have a small boot partition > holding the kernel image, config, and map. And I use LILO. My kernels > are pretty lightweight, stripped of anything I can identify as unnecessary: > > -rw-r--r-- 1 root root 605K Feb 20 2012 System.map-3.2.6 > -rw-r--r-- 1 root root 38K Feb 20 2012 config-3.2.6 > -rw-r--r-- 1 root root 1.7M Feb 20 2012 vmlinuz-3.2.6 > > Normally I build new kernels about every 6 months, but I've been holding > back for a bit as 3.2.6 has been working very well, and I don't want to > get my kernel too far ahead of my userspace. For example, the bleeding > edge XFS kernel code doesn't particularly like many years old xfsprogs. > I'll probably bump up to 3.8.x after Wheezy finally ships. Since 3.2.6, Greg KH has released at least these updates, all of which he has accompanied with the unequivocal instructions that "All users of the 3.2 kernel series should upgrade.": http://lkml.org/lkml/2012/2/20/410 http://lkml.org/lkml/2012/2/29/544 http://lkml.org/lkml/2012/3/12/414 http://lkml.org/lkml/2012/3/19/450 http://lkml.org/lkml/2012/3/23/293 http://lkml.org/lkml/2012/4/2/331 http://lkml.org/lkml/2012/4/13/271 http://lkml.org/lkml/2012/4/22/123 [At this point, maintenance of the 3.2.x branch was taken over by Ben Hutchings.] I can see three possibilities: A) You have carefully reviewed all the code changes in each update, and determined that none of them apply to your configuration. B) You disagree with Greg about the imperative nature of these updates. C) You concede that you're running known buggy / insecure kernel code, but you believe that your security and networking model isolates you from any realistic possibility of exploitation. I, too, run self-compiled vanilla sources, in a pretty stripped down configuration, albeit not quite as spare as yours: $ ls -l /boot | grep vmlinuz -rw-r--r-- 1 root root 2864400 Apr 8 06:42 vmlinuz-3.2.0-0.bpo.4-amd64 -rw-r--r-- 1 root root 2000736 Apr 14 21:22 vmlinuz-3.4.40 I'm running the 3.4.x branch, and following Greg's instructions, I wind up updating the kernel something like biweekly. Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130417225918.22d63709.cele...@gmail.com
