SolusVM 1.13.09/1.14.00 R9 Update Released!

Marc M.

Phoenix VPS
Verified Provider
This release contains minor code fixes and security enhancements/changes as part of our code audit.

All information on this release will be included in the audit report. More information and the status of our audit will be released as soon as we have confirmation on the start date of the external audit.
From the looks of it the external audit has not started yet, as another update has been released. IMHO they are giving the code a thorough look. I hope that whatever they are doing is right so that we won't have to face situations like these again in the future.
 

rds100

New Member
Verified Provider
Yes, at least it seems they are not drinking coctails on some beach, instead they are working on the code even on a weekend. +1 for SolusLabs this time.
 
Last edited by a moderator:

MartinD

Retired Staff
Verified Provider
Retired Staff
@Marc M. Right but they said more information will follow in the audit report. I even have doubts about that :|
The audit hasn't finished yet (at least the external one) so that perhaps explains why there has been no report? Why do you have doubts?
 

SVMPhill

New Member
From the looks of it the external audit has not started yet, as another update has been released. IMHO they are giving the code a thorough look. I hope that whatever they are doing is right so that we won't have to face situations like these again in the future.
Yes you are correct it's not been started. We are awaiting a conference call with http://www.cnsgroup.co.uk and a start date.
 

SVMPhill

New Member
@Marc M. Right but they said more information will follow in the audit report. I even have doubts about that :|
There will be a full report once the auditing is complete. We don't see the need to give you any information on any patches when we release them. I can assure you it's for safety reasons only. You would gain nothing from that information at this point.

At the end of the day we care and want to fix things. I hold my hands up to making most of these mistakes (personally) and i intend to make sure they never happen again.
 

Marc M.

Phoenix VPS
Verified Provider
The audit hasn't finished yet (at least the external one) so that perhaps explains why there has been no report? Why do you have doubts?
@MartinD the external audit hasn't started yet. They are still milling through their own code double checking everything. So they are running about a week behind, could end up being more. Once they are completely done with their internal patching and fixing, they will most likely have a third party perform an external audit, looking for possible ways to exploit the code. In all likelihood the external audit report will be the only one that will be published.

The catch 22 is that I don't know how much all of this will accomplish, because the exploits published on "localhost.re" were discovered by having access to the source which was most likely decoded with this: http://idezender.com/

In any case, I hope for the best. The ideal result would be for them to clean up their code so that even if someone gains access to the source code again (or a portion of it), it wouldn't be exploitable.
 

SVMPhill

New Member
@MartinD the external audit hasn't started yet. They are still milling through their own code double checking everything. So they are running about a week behind, could end up being more. Once they are completely done with their internal patching and fixing, they will most likely have a third party perform an external audit, looking for possible ways to exploit the code. In all likelihood the external audit report will be the only one that will be published.

The catch 22 is that I don't know how much all of this will accomplish, because the exploits published on "localhost.re" were discovered by having access to the source which was most likely decoded with this: http://idezender.com/

In any case, I hope for the best. The ideal result would be for them to clean up their code so that even if someone gains access to the source code again (or a portion of it), it wouldn't be exploitable.
The external auditors will have the source code. It's the whole idea.
 

Marc M.

Phoenix VPS
Verified Provider
The external auditors will have the source code. It's the whole idea.
@ thank you for all the information and updates. I agree that publicly releasing any updates on a change-log won't do anyone any good. Things are moving in the right direction so I'm sure that everything will be resolved :)

I was wondering if it would be possible for new SolusVM installs to enable Nginx (possibly with Naxsi) as the default web server and also configure it with php-fpm instead of spawn-fcgi. I think that part of the responsibility in properly deploying and securing SolusVM falls on the user/provider as well, unfortunately many leave everything at the default settings, and those are known by everyone.

I have updated my repository with new Nginc 1.2.9 and 1.4.1 packages, as well as Xen 4.1.5 (with the XSA-55 patches) for CentOS 6 if you guys want to have a look: http://repo.phoenixrpm.com - source rpms included.

Also, on a unrelated note, I meant to ask if the XL toolstack for Xen 4.2 will be supported in SolusVM, and if so, if there is an ETA for that. I imagine that due to everything that has happened this isn't a priority, but at least I could start working on a properly maintained Xen 4.2 branch for CentOS 6.

Thank you.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
Also, on a unrelated note, I meant to ask if the XL toolstack for Xen 4.2 will be supported in SolusVM, and if so, if there is an ETA for that. I imagine that due to everything that has happened this isn't a priority, but at least I could start working on a properly maintained Xen 4.2 branch for CentOS 6.
IIRC, it already supports XL.  At least BudgetVM runs SolusVM with XL toolstack.
 

Marc M.

Phoenix VPS
Verified Provider
IIRC, it already supports XL. At least BudgetVM runs SolusVM with XL toolstack.
@kaniini I don't know, that could be misleading, since 4.2 is still backwards compatible with XM, however XL is the recommended toolstack.

By the way, have you noticed any issues when running Ubuntu 12.04 on Xen 4.2, like it won't run for example? (assuming that you're running 4.2 of course).
 

kaniini

Beware the bunny-rabbit!
Verified Provider
@kaniini I don't know, that could be misleading, since 4.2 is still backwards compatible with XM, however XL is the recommended toolstack.

By the way, have you noticed any issues when running Ubuntu 12.04 on Xen 4.2, like it won't run for example? (assuming that you're running 4.2 of course).
At least when I was at Enzu, I remember on each node a configuration option for choosing whether to use XM or XL toolstack.  The XL toolstack was recommended by SolusVM for Xen 4.1+.

Are you running on Sandy Bridge or newer?  If so, Ubuntu botched their kernel.  You have to upgrade it to the latest one in precise-updates.

A workaround is to disable xsave/xrstor instructions on the hypervisor side (pass xsave=0 commandline argument to Xen), but this of course requires a reboot.  I have a couple of nodes that haven't been patched yet still because I don't wish to induce downtime for them.  We get a ticket once in a while about it.
 

notFound

Don't take me seriously!
Verified Provider
What hosts have enabled SolusVM access for clients at this point?
Seems to be a 50/50 split from the hosts I use, personally I'm keeping ours off for the public for the moment until the external audit is finished with just to be safe. I'm happy with the extra work needed to keep customers happy if it means piece of mind.
 

rds100

New Member
Verified Provider
We are not enabling it for now. Strangely enough we don't see people complaining about it.
 
Last edited by a moderator:

concerto49

New Member
Verified Provider
We haven't enabled it for clients. There are still known issues out there - so I've heard and "seen".
 

Marc M.

Phoenix VPS
Verified Provider
Install Nginx + Naxsi + IP restrict admin area + place a hpasswd on it + enable CloudFlare for the panel ;)
 
Last edited by a moderator:
Top