# SolusVM 1.13.09/1.14.00 R9 Update Released!



## Marc M. (Jun 30, 2013)

> This release contains minor code fixes and security enhancements/changes as part of our code audit.
> 
> All information on this release will be included in the audit report. More information and the status of our audit will be released as soon as we have confirmation on the start date of the external audit.


From the looks of it the external audit has not started yet, as another update has been released. IMHO they are giving the code a thorough look. I hope that whatever they are doing is right so that we won't have to face situations like these again in the future.


----------



## rds100 (Jun 30, 2013)

Yes, at least it seems they are not drinking coctails on some beach, instead they are working on the code even on a weekend. +1 for SolusLabs this time.


----------



## H_Heisenberg (Jun 30, 2013)

I wish to see a changelog (a transparent changelog with as much info as possible).


----------



## Marc M. (Jun 30, 2013)

*@**H_Heisenberg* I doubt that it will happen. They are patching security vulnerabilities after all.


----------



## H_Heisenberg (Jun 30, 2013)

*@Marc M.* Right but they said more information will follow in the audit report. I even have doubts about that :|


----------



## MartinD (Jun 30, 2013)

H_Heisenberg said:


> *@Marc M.* Right but they said more information will follow in the audit report. I even have doubts about that :|


The audit hasn't finished yet (at least the external one) so that perhaps explains why there has been no report? Why do you have doubts?


----------



## SVMPhill (Jun 30, 2013)

Marc M. said:


> From the looks of it the external audit has not started yet, as another update has been released. IMHO they are giving the code a thorough look. I hope that whatever they are doing is right so that we won't have to face situations like these again in the future.


Yes you are correct it's not been started. We are awaiting a conference call with http://www.cnsgroup.co.uk and a start date.


----------



## SVMPhill (Jun 30, 2013)

H_Heisenberg said:


> @Marc M. Right but they said more information will follow in the audit report. I even have doubts about that :|


There will be a full report once the auditing is complete. We don't see the need to give you any information on any patches when we release them. I can assure you it's for safety reasons only. You would gain nothing from that information at this point.

At the end of the day we care and want to fix things. I hold my hands up to making most of these mistakes (personally) and i intend to make sure they never happen again.


----------



## Marc M. (Jun 30, 2013)

MartinD said:


> The audit hasn't finished yet (at least the external one) so that perhaps explains why there has been no report? Why do you have doubts?


*@**MartinD* the external audit hasn't started yet. They are still milling through their own code double checking everything. So they are running about a week behind, could end up being more. Once they are completely done with their internal patching and fixing, they will most likely have a third party perform an external audit, looking for possible ways to exploit the code. In all likelihood the external audit report will be the only one that will be published.

The catch 22 is that I don't know how much all of this will accomplish, because the exploits published on "localhost.re" were discovered by having access to the source which was most likely decoded with this: http://idezender.com/

In any case, I hope for the best. The ideal result would be for them to clean up their code so that even if someone gains access to the source code again (or a portion of it), it wouldn't be exploitable.


----------



## SVMPhill (Jun 30, 2013)

Marc M. said:


> *@MartinD* the external audit hasn't started yet. They are still milling through their own code double checking everything. So they are running about a week behind, could end up being more. Once they are completely done with their internal patching and fixing, they will most likely have a third party perform an external audit, looking for possible ways to exploit the code. In all likelihood the external audit report will be the only one that will be published.
> 
> The catch 22 is that I don't know how much all of this will accomplish, because the exploits published on "localhost.re" were discovered by having access to the source which was most likely decoded with this: http://idezender.com/
> 
> In any case, I hope for the best. The ideal result would be for them to clean up their code so that even if someone gains access to the source code again (or a portion of it), it wouldn't be exploitable.


The external auditors will have the source code. It's the whole idea.


----------



## Marc M. (Jun 30, 2013)

SVM_Phill said:


> The external auditors will have the source code. It's the whole idea.


*@* thank you for all the information and updates. I agree that publicly releasing any updates on a change-log won't do anyone any good. Things are moving in the right direction so I'm sure that everything will be resolved 

I was wondering if it would be possible for new SolusVM installs to enable Nginx (possibly with Naxsi) as the default web server and also configure it with php-fpm instead of spawn-fcgi. I think that part of the responsibility in properly deploying and securing SolusVM falls on the user/provider as well, unfortunately many leave everything at the default settings, and those are known by everyone.

I have updated my repository with new Nginc 1.2.9 and 1.4.1 packages, as well as Xen 4.1.5 (with the XSA-55 patches) for CentOS 6 if you guys want to have a look: http://repo.phoenixrpm.com - source rpms included.

Also, on a unrelated note, I meant to ask if the XL toolstack for Xen 4.2 will be supported in SolusVM, and if so, if there is an ETA for that. I imagine that due to everything that has happened this isn't a priority, but at least I could start working on a properly maintained Xen 4.2 branch for CentOS 6.

Thank you.


----------



## kaniini (Jun 30, 2013)

Marc M. said:


> Also, on a unrelated note, I meant to ask if the XL toolstack for Xen 4.2 will be supported in SolusVM, and if so, if there is an ETA for that. I imagine that due to everything that has happened this isn't a priority, but at least I could start working on a properly maintained Xen 4.2 branch for CentOS 6.


IIRC, it already supports XL.  At least BudgetVM runs SolusVM with XL toolstack.


----------



## Marc M. (Jun 30, 2013)

kaniini said:


> IIRC, it already supports XL. At least BudgetVM runs SolusVM with XL toolstack.


*@**kaniini* I don't know, that could be misleading, since 4.2 is still backwards compatible with XM, however XL is the recommended toolstack.

By the way, have you noticed any issues when running Ubuntu 12.04 on Xen 4.2, like it won't run for example? (assuming that you're running 4.2 of course).


----------



## kaniini (Jul 1, 2013)

Marc M. said:


> *@kaniini* I don't know, that could be misleading, since 4.2 is still backwards compatible with XM, however XL is the recommended toolstack.
> 
> By the way, have you noticed any issues when running Ubuntu 12.04 on Xen 4.2, like it won't run for example? (assuming that you're running 4.2 of course).


At least when I was at Enzu, I remember on each node a configuration option for choosing whether to use XM or XL toolstack.  The XL toolstack was recommended by SolusVM for Xen 4.1+.

Are you running on Sandy Bridge or newer?  If so, Ubuntu botched their kernel.  You have to upgrade it to the latest one in precise-updates.

A workaround is to disable xsave/xrstor instructions on the hypervisor side (pass xsave=0 commandline argument to Xen), but this of course requires a reboot.  I have a couple of nodes that haven't been patched yet still because I don't wish to induce downtime for them.  We get a ticket once in a while about it.


----------



## Nick_A (Jul 1, 2013)

What hosts have enabled SolusVM access for clients at this point?


----------



## notFound (Jul 1, 2013)

Nick_A said:


> What hosts have enabled SolusVM access for clients at this point?


Seems to be a 50/50 split from the hosts I use, personally I'm keeping ours off for the public for the moment until the external audit is finished with just to be safe. I'm happy with the extra work needed to keep customers happy if it means piece of mind.


----------



## vanarp (Jul 1, 2013)

Nick_A said:


> What hosts have enabled SolusVM access for clients at this point?


 
Out of my 4 hosts using SolusVM, two have enabled client access for quite some time. I really admire their confidence


----------



## rds100 (Jul 1, 2013)

We are not enabling it for now. Strangely enough we don't see people complaining about it.


----------



## concerto49 (Jul 1, 2013)

We haven't enabled it for clients. There are still known issues out there - so I've heard and "seen".


----------



## Marc M. (Jul 1, 2013)

Install Nginx + Naxsi + IP restrict admin area + place a hpasswd on it + enable CloudFlare for the panel


----------

