Hi Z Ero, > On Mar 3, 2018, at 10:29 AM, Otto Moerbeek <o...@drijf.net> wrote: >> On Sat, Mar 03, 2018 at 09:36:10AM -0500, Z Ero wrote: >> >> I have a web facing server running nginx, php5-fpm and mysql / >> mariadb, It is still on 6.1. Remarkably I have a continuous uptime >> without incident of 150+ days. I understand the meltdown patch is >> available for 6.2. From a security standpoint how urgent is it that I >> upgrade and apply the patch? >> >> Notably the webserver is a VPS not on bare metal. If my VPS provider >> is not patched against meltdown what difference would it make? >> >> Are virtual CPUs even susceptible to meltdown? I suspect not. But the >> underlying physical CPU would be.
If you are running a VPS you should open a ticket with your service provider to see whether they have or will update the hypervisor and/or need to move you to new, underlying hardware (unless you are on the big three - AWS, Google and Azure have mitigations in place already). Many VPS providers use Xen and it requires patches to mitigate Meltdown. This is an ongoing thing (see the Xen announcements mailing list to track this), so you should consider hypervisor updates as a work in progress. It’s probably not a bad idea to regenerate your secrets (SSH keys, etc.), after you feel that your VPS service provider has addressed the hypervisor issues and you have moved to 6.2 with the syspatch for Meltdown. It’s best to assume someone has already “walked” through the memory space of your server and captured this information. - J
