Security Advisory Important: piranha security update

Advisory: RHSA-2014:0174-1
Type: Security Advisory
Severity: Important
Issued on: 2014-02-13
Last updated on: 2014-02-13
Affected Products: RHEL Clustering (v. 5 server)
CVEs ( CVE-2013-6492


An updated piranha package that fixes one security issue is now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
Important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Piranha provides high-availability and load-balancing services for Red Hat
Enterprise Linux. The piranha packages contain various tools to administer
and configure the Linux Virtual Server (LVS), as well as the heartbeat and
failover components. LVS is a dynamically-adjusted kernel routing mechanism
that provides load balancing, primarily for Web and FTP servers.

It was discovered that the Piranha Configuration Tool did not properly
restrict access to its web pages. A remote attacker able to connect to the
Piranha Configuration Tool web server port could use this flaw to read or
modify the LVS configuration without providing valid administrative
credentials. (CVE-2013-6492)

All piranha users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.


Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at

Updated packages

RHEL Clustering (v. 5 server)

piranha-0.8.4-26.el5_10.1.src.rpm     MD5: aa288a2595a4e9a6b295b748b3f63df6
SHA-256: 8b9ecef5cb8bf7651806760b493eae4fc9126d7d113c7e7c8912fd010e337e2b
piranha-0.8.4-26.el5_10.1.i386.rpm     MD5: 273546a251da043db63080f4eda44600
SHA-256: f9e31f5630897acd28d0fe1a8c96dc9ac42ddaba2c9dc7b57b4a8f6f4ffff200
piranha-debuginfo-0.8.4-26.el5_10.1.i386.rpm     MD5: fa4b76adb842b714d7c12df2cce5b8cd
SHA-256: c911767a21fa2982dd853f3d54b3bb5c80f137c694dff7b22ea2b37a382a9db6
piranha-0.8.4-26.el5_10.1.ia64.rpm     MD5: b6bc3b2d4df2b910ee94a744484702d6
SHA-256: 96842e10ba46954f27f2faaddf22c3cb2a157c82e95e07bc17475094b4d5f507
piranha-debuginfo-0.8.4-26.el5_10.1.ia64.rpm     MD5: bd11b8054db7d135bc173863b350b23b
SHA-256: d3b4c3213e83969f303e3a3d650349508b1f4835bb5eef1631676a2971022f7a
piranha-0.8.4-26.el5_10.1.ppc.rpm     MD5: b58d9650c6ecf4d4afef82e5f274af25
SHA-256: bb512c62cabb40113a871a6360e1e5f92e16a437524d0c1bcf6bb7becf59fea6
piranha-debuginfo-0.8.4-26.el5_10.1.ppc.rpm     MD5: a868c7b2e159652a194fde66e06816c1
SHA-256: b8cbdd390024f0b7a337d87a3a1b3519012e75a38fac6325b12f85441d44b2aa
piranha-0.8.4-26.el5_10.1.x86_64.rpm     MD5: c379d2c3f9723771f45f1918363bc1cb
SHA-256: c4089ba1b75d03fce7284b3df986a4d270622ab9e9207dfe4c78e5a15ec57ba5
piranha-debuginfo-0.8.4-26.el5_10.1.x86_64.rpm     MD5: 71d2516d7cd59cc19c8305d8c406a221
SHA-256: c99910ad4c184d0f614d419576adc65eda6d3bf57c633cfde11f9313f3c8ec39
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1043040 - CVE-2013-6492 piranha: web UI authentication bypass using POST requests


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at