amuck-landowner

SolusVM Security Update!

maounique

Active Member
Ah, so the denial is over ?

Damn, we were starting to believe them that the new exploits are just rumours, I think this confirms them.
 

D. Strout

Resident IPv6 Proponent
Somehow I get the feeling that this update won't do that much to restore confidence in SVM. I know I still don't place much confidence in it.
 
Last edited by a moderator:

mojeda

New Member
Just got this via email
 

Soluslabs Ltd Wednesday, June 19, 2013
03:25:58 AM GMT 0

PLEASE READ THIS INFORMATION CAREFULLY. THIS INFORMATION IS RELEVANT TO ALL VERSIONS OF SOLUSVM, INCLUDING BETA VERSIONS.
As you may be aware we are currently running a full in house and external code audit. This release contains several important security fixes for all versions of SolusVM.

We highly suggest you update your system as soon as possible. Updates are available through the normal channels.

Latest Beta Version: 1.14.00 R5
Latest Stable Version: 1.13.05

Please be aware the audit is still underway and more updates may follow.

Thank you for your co-operation and understanding.

Regards,
Soluslabs Security Team

Edit: sorry of this is what the blog post was, the solusvm website and blog do not load for me...
 
Last edited by a moderator:

netnub

New Member
And you thought I was joking about the vulnerabilities I was holding with me. Guess you were wrong.

Let's go discover more zero-day's on solusvm, shall we? :D
 

qps

Active Member
Verified Provider
FYI -- when updating to the latest version, if your clients' VPS has an invalid hostname, it will be replaced with vps.server.com.  Per Phill @ SolusVM, this is expected.
 

MannDude

Just a dude
vpsBoard Founder
Moderator
I've got Phill to agree to do a 'Reddit style AMA' (ask me anything // ask me almost anything) so the community can ask him questions regarding the exploit(s), security, the future of SolusVM, or any other concerns. He says he's been up for 2 days and I imagine he'll be busy, but I'll try to get this going while the subject is still relevant. This will be the first in a series of scheduled posts where the community can ask individuals from the industry questions directly regarding current events/news that are relevant at the time.
 

Marc M.

Phoenix VPS
Verified Provider
@MannDude Where can we start asking, cause I have at least two very short and to the point but very serious questions to ask, and I'm hoping that some minimal changes will be implemented after this. Thanks.
 

peterw

New Member
An update for a nonexisting security issue? Did they not write an announcement that SolusVM is secure?

In the meantime, we do not believe there to by any immediate threat to customers.
All histeria and all customers should start their SolusVM again? 12 hours later a security fix?

I don't trust SolusVM any longer.
 

necs

New Member
Please be aware the audit is still underway and more updates may follow... 

:angry:  :angry: 
 

Hassan

New Member
Verified Provider
Leaving my SolusVM disabled until a report on the full audit is released seems like a smart idea at the moment.
 

willie

Active Member
I wouldn't take any "audit" seriously that comes out less than a month from now. The reviewers have to go thru the code base, quickly find and point out the most insane idiocy (of which there is surely plenty left to find), smack the developers into understanding what is wrong, then keep looking for subtler problems while the developers fix the simple stuff. There may be issues requiring large-scale refactoring rather than getting rid of an exec here or there. Then the patch versions have to be reviewed and adversarially tested (i.e. by penetration testers from a security shop, not just normal QA within the company), there will probably be another round of patches, etc. I don't think the product is beyond hope of repair, but the problems seen have been so severe, and known for so long, that the company has little credibility left. They are going to have to bite some large bullets to get it right.
 

mr.tuppington

New Member
I wouldn't take any "audit" seriously that comes out less than a month from now. The reviewers have to go thru the code base, quickly find and point out the most insane idiocy (of which there is surely plenty left to find), smack the developers into understanding what is wrong, then keep looking for subtler problems while the developers fix the simple stuff. There may be issues requiring large-scale refactoring rather than getting rid of an exec here or there. Then the patch versions have to be reviewed and adversarially tested (i.e. by penetration testers from a security shop, not just normal QA within the company), there will probably be another round of patches, etc. I don't think the product is beyond hope of repair, but the problems seen have been so severe, and known for so long, that the company has little credibility left. They are going to have to bite some large bullets to get it right.
Agreed:   audits can find many things and they likely will vary greatly in complexity.  Here's hoping they can move fast (and smart) on the difficult stuff.
 
Top
amuck-landowner