Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -4 articles for you...
98
security advisoryRed Hat LinuxcriticalRed Hat Linux 6.2 RHSA-2000:014-16 Critical: Piranha Web GUI Remote Exploit
The GUI portion of Piranha may allow any remote attacker to execute commands on the server. . -----BEGIN PGP SIGNED MESSAGE------ --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Piranha web GUI exposure Advisory ID: RHSA-2000:014-16 Issue date: 2000-04-18 Updated on: 2000-04-26 Product: Red Hat Linux Keywords: piranha Cross references: php - ---------------------------------------------------------------------1. Topic: The GUI portion of Piranha may allow any remote attacker to execute commands on the server. This may allow a remote attacker to launch additional exploits against a web site from inside the web server. This is an updated release that disables Piranha's web GUI interface unless the site administrator enables it explicitly. 2. Relevant releases/architectures: Red Hat Linux 6.2 - i386 alpha sparc 3. Problem description: When Piranha is installed, it generates a 'secure' web interface ID using the HTML .htaccess method. The information for the account is placed in /home/httpd/html/piranha/secure/passwords which was supposed to be released with a blank password. Unfortunately, the password that is actually on the CD is 'Q'. The original intent was that, when the administrator installed Piranha rpms onto their box, that they would change the default blank password to a password of their own choosing. This is not a hidden account. Its only use is to protect the web pages from unauthorized access. The security problem arises from the file. It is possible to execute commands by entering 'blah;some-command' into the password fields. Everything after the semicolon is executed with the same privilege as the webserver. Because of this, it is possible to compromise the webserver or do serious damage to files on the site that are owned by the user 'nobody' or to export a shell using xterm. Updated piranha packagesreleased as version 0.14.3-1 fixed the security vulnerability while still require for the default behavior of requiring the web administrator to reset the password before making the web site public. Because of the security concerns from the community and in order to protect innocent administrators that might not be aware of the need to change the password for Piranha's interface before going live on the Internet, Red Hat is releasing a new set of packages that disable the piranha web interface by default. The site administrator will have to enable the service from the command line by resetting the password as detailed on the main page of the piranha utility. The new packages that include these changes are known as version piranha-0.4.14-1. Users of Red Hat Linux 6.2 are strongly encouraged to upgrade to the new packages if they are actively using piranha on their system (upgrade instructions follow) or to remove the piranha-gui package altogether by issuing the following command: rpm -e piranha-gui 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. When you install the update for the piranha-gui, please take a moment to review the instructions presented on the following URL (). This should guide you through the process of installing a password for use with the GUI. 5. Bug IDs fixed ( for more info): N/A 6. Obsoleted by: N/A 7. Conflicts with: N/A 8. RPMs required: Red Hat Linux 6.2: intel: alpha: sparc: sources: 9. Verification: MD5 sum Package Name - --------------------------------------------------------------------------7c9cad243857f3e90cb73457619ad3a0 6.2/SRPMS/piranha-0.4.14-1.src.rpm 179e502f88f149fe3bfb285af851a6d3 6.2/alpha/piranha-0.4.14-1.alpha.rpm 881622bc6403c2af38834c0deaf05d44 6.2/alpha/piranha-docs-0.4.14-1.alpha.rpm 7ffc63ec6f236afc0b19298ec29e6774 6.2/alpha/piranha-gui-0.4.14-1.alpha.rpm 1e04357c0ebb004185b834152667c644 6.2/i386/piranha-0.4.14-1.i386.rpm 5b6649f14979e1b2fbdb763d88e9a3ac 6.2/i386/piranha-docs-0.4.14-1.i386.rpm 1a49816f280dc7a9b83ba9bab42a247f 6.2/i386/piranha-gui-0.4.14-1.i386.rpm 4153b861f030a17745463c1749732b58 6.2/sparc/piranha-0.4.14-1.sparc.rpm dc964993d9a3b6c967e5c4455bc24221 6.2/sparc/piranha-docs-0.4.14-1.sparc.rpm 97071e07e2f34fecf80ba48f61e70ba6 6.2/sparc/piranha-gui-0.4.14-1.sparc.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 10. References: This vulnerability was discovered and researched by Allen Wilson and Dan Ingevaldson of Internet Security Systems. Red Hat would like to thank ISS for the assistance in getting this problem fixed quickly. Cristian - --- ----------------------------------------------------------------------Cristian Gafton --
Jun 08, 2023
•Critical
Red Hat
98
security advisorybug fixremote accessRed Hat Enterprise Linux 6 Update RHSA-2014-0175 for Piranha CVE-2013-6492
An updated piranha package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Important: piranha security and bug fix update Advisory ID: RHSA-2014:0175-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2014:0175.html Issue date: 2014-02-13 CVE Names: CVE-2013-6492 ==================================================================== 1. Summary: An updated piranha package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Load Balancer (v. 6) - i386, x86_64 3. Description: Piranha provides high-availability and load-balancing services for Red Hat Enterprise Linux. The piranha packages contain various tools to administer and configure the Linux Virtual Server (LVS), as well as the heartbeat and failover components. LVS is a dynamically-adjusted kernel routing mechanism that provides load balancing, primarily for Web and FTP servers. It was discovered that the Piranha Configuration Tool did not properly restrict access to its web pages. A remote attacker able to connect to the Piranha Configuration Tool web server port could use this flaw to read or modify the LVS configuration without providing valid administrative credentials. (CVE-2013-6492) This update also fixes the following bug: * When the lvsd service attempted to start, thesem_timedwait() function received the interrupted function call (EINTR) error and exited, causing the lvsd service to fail to start. With this update, EINTR errors are correctly ignored during the start-up of the lvsd service. (BZ#1055709) All piranha users are advised to upgrade to this updated package, which contains backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1043040 - CVE-2013-6492 piranha: web UI authentication bypass using POST requests 1055709 - pulse: ignore EINTR while waiting for semaphore 6. Package List: Red Hat Enterprise Linux Load Balancer (v. 6): Source: i386: piranha-0.8.6-4.el6_5.2.i686.rpm piranha-debuginfo-0.8.6-4.el6_5.2.i686.rpm x86_64: piranha-0.8.6-4.el6_5.2.x86_64.rpm piranha-debuginfo-0.8.6-4.el6_5.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key#package 7. References: https://access.redhat.com/security/cve/CVE-2013-6492 https://access.redhat.com/security/updates/classification#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFS/RSyXlSAg2UNWIIRAteSAKCPyBOqLcBj/niuICECjuc4+E9NowCdEoma nprYVqHj1pu2dLRLRlbAtno=ZZq+ -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
Feb 13, 2014
•Important
Red Hat
200
security advisoryaccess controlbug fixScientific Linux 6: SLSA-2014:0175-1 Important Piranha Access Control Issue
Important: piranha security and bug fix update. Date: Thu, 13 Feb 2014 20:33:39 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Important: piranha on SL6.x i386/x86_64 MIME-Version: 1.0 Synopsis: Important: piranha security and bug fix update Advisory ID: SLSA-2014:0175-1 Issue Date: 2014-02-13 CVE Numbers: CVE-2013-6492 -- It was discovered that the Piranha Configuration Tool did not properly restrict access to its web pages. A remote attacker able to connect to the Piranha Configuration Tool web server port could use this flaw to read or modify the LVS configuration without providing valid administrative credentials. (CVE-2013-6492) This update also fixes the following bug: * When the lvsd service attempted to start, the sem_timedwait() function received the interrupted function call (EINTR) error and exited, causing the lvsd service to fail to start. With this update, EINTR errors are correctly ignored during the start-up of the lvsd service. -- SL6 x86_64 piranha-0.8.6-4.el6_5.2.x86_64.rpm piranha-debuginfo-0.8.6-4.el6_5.2.x86_64.rpm i386 piranha-0.8.6-4.el6_5.2.i686.rpm piranha-debuginfo-0.8.6-4.el6_5.2.i686.rpm - Scientific Linux Development Team . Piranha security patch issued for SL6 targeting access control vulnerabilities and resolving bugs.. Important Update, Piranha Fix, Security Advisory, Scientific Linux. . Severity: Important. LinuxSecurity.com Team
Feb 13, 2014
•Important
Scientific Linux
200
security advisoryremote exploitimportantScientific Linux SL5: SLSA-2014:0174-1 Important: Piranha Remote Exploit
Important: piranha security update. Date: Thu, 13 Feb 2014 20:33:32 +0000 Reply-To: scientific-linux-users@ Sender: Security Errata for Scientific Linux From: Pat Riehecky Subject: Security ERRATA Important: piranha on SL5.x i386/x86_64 MIME-Version: 1.0 Synopsis: Important: piranha security update Advisory ID: SLSA-2014:0174-1 Issue Date: 2014-02-13 CVE Numbers: CVE-2013-6492 -- It was discovered that the Piranha Configuration Tool did not properly restrict access to its web pages. A remote attacker able to connect to the Piranha Configuration Tool web server port could use this flaw to read or modify the LVS configuration without providing valid administrative credentials. (CVE-2013-6492) -- SL5 x86_64 piranha-0.8.4-26.el5_10.1.x86_64.rpm piranha-debuginfo-0.8.4-26.el5_10.1.x86_64.rpm i386 piranha-0.8.4-26.el5_10.1.i386.rpm piranha-debuginfo-0.8.4-26.el5_10.1.i386.rpm - Scientific Linux Development Team . Crucial shark security patch released for Scientific Linux SL5.x mitigating severe online vulnerability threat.. piranha Security Update, SL5 Admin Issues, Scientific Linux Advisory. . Severity: Important. LinuxSecurity.com Team
Feb 13, 2014
•Important
Scientific Linux
98
security advisoryupdatered hatRed Hat 5: RHSA-2014:0174-01 Critical: Piranha Auth Bypass Exploit
An updated piranha package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: piranha security update Advisory ID: RHSA-2014:0174-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2014:0174.html Issue date: 2014-02-13 CVE Names: CVE-2013-6492 ==================================================================== 1. Summary: An updated piranha package that fixes one security issue is now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Clustering (v. 5 server) - i386, ia64, ppc, x86_64 3. Description: Piranha provides high-availability and load-balancing services for Red Hat Enterprise Linux. The piranha packages contain various tools to administer and configure the Linux Virtual Server (LVS), as well as the heartbeat and failover components. LVS is a dynamically-adjusted kernel routing mechanism that provides load balancing, primarily for Web and FTP servers. It was discovered that the Piranha Configuration Tool did not properly restrict access to its web pages. A remote attacker able to connect to the Piranha Configuration Tool web server port could use this flaw to read or modify the LVS configuration without providing valid administrative credentials. (CVE-2013-6492) All piranha users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have beenapplied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1043040 - CVE-2013-6492 piranha: web UI authentication bypass using POST requests 6. Package List: RHEL Clustering (v. 5 server): Source: i386: piranha-0.8.4-26.el5_10.1.i386.rpm piranha-debuginfo-0.8.4-26.el5_10.1.i386.rpm ia64: piranha-0.8.4-26.el5_10.1.ia64.rpm piranha-debuginfo-0.8.4-26.el5_10.1.ia64.rpm ppc: piranha-0.8.4-26.el5_10.1.ppc.rpm piranha-debuginfo-0.8.4-26.el5_10.1.ppc.rpm x86_64: piranha-0.8.4-26.el5_10.1.x86_64.rpm piranha-debuginfo-0.8.4-26.el5_10.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2013-6492 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. . Crucial piranha security patch available for Red Hat Enterprise Linux resolving an authentication circumvention vulnerability. Update immediately!. Red Hat, Piranha Security, Authentication Fix, RHSA-2014:0174-01. . Severity: Important. LinuxSecurity.com Team
Feb 13, 2014
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!