# New SolusVM Update



## MartinD (Jun 24, 2013)

There's a new update available

1.13.07 and 1.14. Beta R7 from your solus master!

Edit: http://blog.soluslabs.com/2013/06/24/security-updates-available-for-all-solusvm-versions-2/


----------



## BlueVM (Jun 24, 2013)

Proceed to update again => get hacked.

Thou shalt repeat the cycle.

--

I kid... I do like the fact that they're pushing updates.


----------



## SkylarM (Jun 24, 2013)

I heard you liked security, and I heard you liked updates. SO we gave you a vague update for "security"!


----------



## Kris (Jun 24, 2013)

```
Soluslabs Ltd 	Monday, June 24, 2013 : 11:26:48 PM GMT 0

PLEASE READ THIS INFORMATION CAREFULLY.

THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.

As you may be aware we are currently running a full in house and external code audit. 

This release contains several important security fixes for all versions of SolusVM.

We highly suggest you update your system as soon as possible. 

Updates are available through the normal channels.

Latest Beta Version: 1.14.00 R7
Latest Stable Version: 1.13.07

Please be aware the audit is still underway and more updates may follow.

Thank you for your co-operation and understanding.

Regards,
Soluslabs Security Team
```


----------



## XFS_Brian (Jun 24, 2013)

Found a bug already.

http://my.jetscreenshot.com/demo/20130624-uqxd-17kb


----------



## Kris (Jun 24, 2013)

SkylarM said:


> I heard you liked security, and I heard you liked updates. SO we gave you a vague update for "security"!


TBH - This is the first day the external audit happened. First day Solus coders aren't sitting with their thumbs firmly up their asses, and already an update has come out.

I'd expect a few more of these through the week - a final 'stable version' - then the other shoe will probably drop.

Drop your cpbackup daily check timing to .15 and update your crons, keep multiple backups off-site if you're using a Solus host. All I can say about that.

I'm currently migrating away from any Solus based host, I did when RAMNode got hit, and when CVPS got hit - I was glad I made the decision.


----------



## SVMPhill (Jun 24, 2013)

Kris said:


> TBH - This is the first day the external audit happened. First day Solus coders aren't sitting with their thumbs firmly up their asses, and already an update has come out.


How do you know this? Where have you got this information from?


----------



## Kris (Jun 24, 2013)

XFS_Brian said:


> Found a bug already.


Judging as what the code fixes, that's not too bad.

As the saying goes, "Watch out for bridges and hop-ons... You're gonna get some hop-ons."


----------



## SVMPhill (Jun 24, 2013)

XFS_Brian said:


> Found a bug already.
> 
> http://my.jetscreenshot.com/demo/20130624-uqxd-17kb


Just a busy server. It will settle down when our DNS changes.


----------



## Kris (Jun 24, 2013)

SVM_Phill said:


> How do you know this? Where have you got this information from?


One of your own posts mentioned the external audit was starting Monday. Have I missed something?

As for the thumbs firmly up your asses, it's common knowledge with the exploits lately (during a 'code audit')

*EDIT: I believe it was quoted an in-house audit was being completed Monday, with a 3rd party auditing it for 'compliance' (aka actually checking it) starting Monday. Can't find the source, too busy fleeing Solus powered hosts, it's around. *


----------



## rsk (Jun 24, 2013)

So, what does this update entails? :S


----------



## SkylarM (Jun 24, 2013)

Kris said:


> One of your own posts mentioned the external audit was starting Monday. Have I missed something?
> 
> As for the thumbs firmly up your asses, it's common knowledge with the exploits lately (during a 'code audit')
> 
> *EDIT: I believe it was quoted an in-house audit was being completed Monday, with a 3rd party auditing it for 'compliance' (aka actually checking it) starting Monday. Can't find the source, too busy fleeing Solus powered hosts, it's around. *


How does abandoning a solus host do anything? It's like saying you should use Mac over Windows because Mac has fewer viruses. Just because fewer hosts use it doesn't make it safer. If everyone swapped to Virtualizer or vePortal or any of the other available panels on the market, suddenly they become interesting to try and hack. What happens when an exploit happens on one of them, which is likely to happen? Just going to abandon ship each time something happens? If anything, this is a perfect time for Solus to get their shit together. 

I get that it sucks having to deal with data loss, etc -- but running from the issue to something equally as poorly coded isn't the best option.

If anything from a webhost perspective it's a huge wakeup call. We're presently working on better backup solutions and looking at proper disaster recovery methods and things like that. Don't live in a world where you think you are safe, focus on fixing the issue and having proper backup procedures and you're golden.


----------



## Kris (Jun 24, 2013)

SkylarM said:


> How does abandoning a solus host do anything?



So my machine is secure and I don't have to wake up with my data being leaked?

I'm not switching to hosts with any type of budget panel or "web host in a box" package. Essentially all the same.

Getting old wondering if my data's been spilled again every morning.

So yes, switching to VPS hosts that don't just let Solus run things will help. Many hosts who are serious about security (or actually know more than pressing buttons in Solus) are looking at other options.



SkylarM said:


> I get that it sucks having to deal with data loss, etc -- but running from the issue to something equally as poorly coded isn't the best option.


You have no idea what control panel I'm talking about, and I lost no data. I keep backups. You do know there are other options than crappy plug and play programs? OnApp is nice, but expensive - and would cut into the low end margin.



SkylarM said:


> If anything from a webhost perspective it's a huge wakeup call. We're presently working on better backup solutions and looking at proper disaster recovery methods and things like that. Don't live in a world where you think you are safe, focus on fixing the issue and having proper backup procedures and you're golden.


How haven't you had this settled before? And where have I implied I don't have backups? I have 3 sets, 3 different data centers. Learn the machine you're using, consider other options rather than defend and wait for the next Solus exploit. Oh, and don't live in a world where you think you are safe with 1 backup set alone.

*Next ?*


----------



## SkylarM (Jun 24, 2013)

I wasn't saying that I'm content with Solus, I'm just pointing out the fact that you're wrong if you think that the other alternatives available to most web hosts these days aren't any more secure than Solus, they are just not widely used so less likely to be targetted. Nor did I ever say 1 backup was sufficient.  I'm very actively looking at alternatives such as BlueCP and others.


----------



## BK_ (Jun 24, 2013)

Kris said:


> Oh, and don't live in a world where you think you are safe with 1 backup set alone.


And don't live in a world where thinking that moving away from providers that use Solus will prevent you from being on a machine that becomes compromised due to a 0day/exploit.

I understand what you're saying and I'm not too happy about the exploits effecting my containers, sure, but do keep in mind that no panel can offer you one hundred percent safety. This has been a massive wake up call to the whole industry, as everyone is aware, and every single panel developer is probably thinking twice before throwing some sloppy code into the mix regardless of how big or small the actual project is. If anything, once the audit is complete over at Solus, it'll probably be one of the most 'secure' panels due to the scrutiny.


----------



## SkylarM (Jun 24, 2013)

BK_ said:


> If anything, once the audit is complete over at Solus, it'll probably be one of the most 'secure' panels due to the scrutiny.


One could only hope so.

You'd have to be downright delusional to assume that will be the case though.


----------



## BK_ (Jun 24, 2013)

SkylarM said:


> You'd have to be downright delusional to assume that will be the case though.


 

I certainly won't be assuming, that's for damn sure.


----------



## SeriesN (Jun 24, 2013)

Okay, lets face the fact. Solus screwed up. So did linode, hypervm, Digital Ocean, whmcs, virtualizor, ve protal (a product that works only when it wants to), hetzner konsole.

Everything that has been made by human can be and will be attacked. It is not how you hack it but what matters most is how you are handling this. So far, solus doing tremendous job by constantly pushing updates and changes.


----------



## drmike (Jun 24, 2013)

This is news:



> we are currently running a full in house and external code audit.


 

In house and external audit.  Color me slightly impressed.  Wondering who the external firm is and if they are bonded  ?


----------



## SeriesN (Jun 24, 2013)

And lets face it, I am not a great coder, nor can afford to hire top notch Gold standard programer to code and maintain a panel for me, neither I will have access to awesome panels like Stallion.

I am sure most of us are on the same boat. If there is a leak, we can work on fixing it since we can't afford to build a better ship and no one will give us access to their own ship.


----------



## Kris (Jun 24, 2013)

BK_ said:


> And don't live in a world where thinking that moving away from providers that use Solus will prevent you from being on a machine that becomes compromised due to a 0day/exploit.


I don't. But on the other hand, when point and click scripts for rooting installs and machines are going around, numerous albeit, while hosts are asleep - I'll take another control panel.

Keeping production sites / machines with Solus based providers simply isn't safe anymore.

I'm sure those with licenses and no other viable options will say the contrary. *Good luck. *


----------



## MartinD (Jun 25, 2013)

lol. Just lol.


----------



## Mr. Obvious (Jun 25, 2013)

Kris said:


> I don't. But on the other hand, when point and click scripts for rooting installs and machines are going around, numerous albeit, while hosts are asleep - I'll take another control panel.
> 
> Keeping production sites / machines with Solus based providers simply isn't safe anymore.
> 
> I'm sure those with licenses and no other viable options will say the contrary. *Good luck. *


Can I buy pot from you dude.


----------



## upsetcvps (Jun 25, 2013)

Kris said:


> I'm not switching to hosts with any type of budget panel or "web host in a box" package. Essentially all the same.


 

so what are some good options here?


----------



## upsetcvps (Jun 25, 2013)

My biggest issue with solusvm is that they feel the need to hide their code from their users.


----------



## MartinD (Jun 25, 2013)

That's a really shitty argument.


----------

