I have a few production Fedora and Debian webservers that host our sites as well as user shell accounts (used for git vcs work, some screen+irssi sessions, etc).
Occasionally a new kernel update will come down the pipeline in yum/apt-get, and I was wondering if most of the fixes are severe enough to warrant a reboot, or if I can apply the fixes sans reboot.
Our main development server currently has 213 days of uptime, and I wasn't sure if it was insecure to run such an older kernel.
Best Answer
There is nothing really special about having a long uptime. It is generally better to have a secure system. All systems need updates at some point. You are probably already applying updates, do you schedule outages when you apply those updates? You probably should just in case something goes wrong. A reboot shouldn't that that much time really.
If your system is so sensitive to outages, you probably should be thinking about some kind of clustering setup so you update a single member of the cluster without bringing everything down.
If you are not sure about a particular update it is probably safer to schedule a reboot and apply it (preferably after testing it on another similar system).
If you are interested in learning about if the update is important take time to read the security notice, and follow the links back to the CVE or the posts/lists/blogs describing the issue. This should help you decide if the update directly applies in your case.
Even if you don't think it applies you should still consider updating your system eventually. Security is a layered approach. You should assume at some point in time those other layers may fail. Also, you might forget you have a vulnerable system because you skipped an update when you change the configuration at some later point in time.
Anyway if you want to ignore or wait for a while on update on Debian based systems you can put the package on hold. I personally like to put holds on all the kernel packages just in case.
CLI method to set a hold on a package on Debian-based systems.