[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Today's kernel vulnerability announcement



On Mon, 17 Mar 2003, Ed Wilts wrote:

> On Mon, Mar 17, 2003 at 09:51:27PM -0500, Tom Diehl wrote:
> > On Mon, 17 Mar 2003, Keith Mastin wrote:
> > 
> > > Just a heads up to everyone about the kernel vulnerability announcement
> > > sent out by redhat.
> > > 
> > > I took a look into the matter before upgrading, as IMHO upgrading the
> > > kernel is serious and shouldn't be done unless necessary. I've had
> > > experience with installing "upgraded" kernels that have presented far more
> > > problems than they've solved.
> > 
> > FUD!! How hard is it to do "rpm -ivh new_kernel_rpm.rpm", reboot and test to
> > your heart's content. It either works or it does not. If it does not work 
> > properly, reboot again and select your old kernel. How much easier do you 
> > want it?? I will admit this gets slightly more complicated if you have a 
> > bunch of custom modules installed but only slightly. You can still recompile
> > the modules test and fall back to the old kernel if there are problems.
> 
> Obviously spoken by somebody who hasn't managed serious production
> systems before.  I've got a production server with 500+ users, hammered
> 24x7, and you want me to just go ahead and reboot and then spend time
> testing?  How many of us are really competent to do a proper kernel
> test?  If you are, then you're probably not on this list...  I've got
> other systems that are easier to do, but the only local users they have
> are root anyway.  If the kernel isn't remotely exploitable, why waste a
> reboot to fix a hole that I don't care about?  Any change presents a
> possibility of something breaking, whether it's a minor change or not.

No, I am not saying you need to do every kernel upgrade. I have remote systems
that are hammered 24x7 with no local users also (so obviously your first 
statment was _wrong_!! We do obviously have differing opinions though). 
I have not upgraded the kernels or rebooted them since early last year. 
What I am saying is that if a kernel upgrade is needed it is not that hard 
to do. When it is necessary to do the upgrades if you cannot do enough
testing to be _reasonably_ sure that the new kernel with the security holes
closed is going to work then obviously you do not have a good enough plan.
Nothing is 100% and I agree you have to access the risks for your self.

FWIW, you snipped the part where I copied a msg from Alan Cox on lkml
where I stated it appeared that he did not think this was a big deal.

Sorry, if I was not clear.

-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl rogueind com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]