I came across this article recently which is cause for concern..

http://www.zdnet.com.au/ubuntu-peppered-with-holes-339310663.htm?tag=mantle_skin;content

Being new to a VPS environment I am not to clear on how or when kernels are updated.. I know that running and loading updates from the command line doesn't appear to pull down any updated kernel packages as it would on a "normal" server..

Can someone fill me in?

Thanks..

You are running a Linode kernel, which is chosen via the dashboard, and I believe they are kept fully patched.
You can run your own kernel if you like, using pv_grub, but I let Linode take care of it, and simply choose the latest paravirt kernel.

_________________
--
Chris Bryant

Without trying to minimize the value of keeping any system component as up to date as possible, in considering the risk posed to you as a VPS admin, you also want to put such issues in perspective in terms of what sort of access anyone is going to have to your Linode, and thus kernel. In general odds favor someone exploiting an issue in your application stack rather than your kernel.

Anything talking about a "local attacker" (most of the ones on the list in this case) for most servers implies they've already broken through some other avenue into your system, at which point you probably have a bigger problem than these flaws. Of course, if you do permit local user logins on your Linode (as opposed to all access being through services like a web application) then you may need to investigate the items further to see what rights may be needed to take advantage.

Items specific to certain services (such as CIFS or NFS) can be considered in the context of whether you actually operate such services publically or if they're already filtered.

I suspect in the context of most Linode servers, very few of these items represent direct exposures, sans some other intrusion that itself likely carries more risk of harm or loss of data.

I do think it would be helpful to have a summary of local patches, if any, backported into the -linode## kernels, but am not sure if that is published anywhere. You can, however, download the source to those kernels (http://www.linode.com/src) and verify anything yourself. I tend to still use the 2.6-stable kernels (not sure about the paravirt), which appear to be based on xensource.com releases, so that's an extra level of release management.

While there are certainly some critical patches back-ported, as a first approximation it's most likely fair to assume that if a CVE fix is noted as appearing in kernel x.y.z and the Linode kernel is earlier than that (or if the most recent linode version of that kernel was released before the CVE patch), then the fix is not yet in the Linode kernel.

-- David

Does this mean I would need to reboot for the new Linode kernel to take effect? I haven't rebooted in months ...

Yes

_________________
/ Peter