(RHSA-2013:0638) Moderate: Red Hat OpenShift Enterprise 1.1.2 update

OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)
solution from Red Hat, and is designed for on-premise or private cloud
deployments.

A flaw was found in the handling of paths provided to ruby193-rubygem-rack.
A remote attacker could use this flaw to conduct a directory traversal
attack by passing malformed requests. (CVE-2013-0262)

A timing attack flaw was found in the way rubygem-rack and
ruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid
an attacker using forged digital signatures to bypass authentication
checks. (CVE-2013-0263)

It was found that Jenkins did not protect against Cross-Site Request
Forgery (CSRF) attacks. If a remote attacker could trick a user, who was
logged into Jenkins, into visiting a specially-crafted URL, the attacker
could perform operations on Jenkins. (CVE-2013-0327, CVE-2013-0329)

A cross-site scripting (XSS) flaw was found in Jenkins. A remote attacker
could use this flaw to conduct an XSS attack against users of Jenkins.
(CVE-2013-0328)

A flaw could allow a Jenkins user to build jobs they do not have access to.
(CVE-2013-0330)

A flaw could allow a Jenkins user to cause a denial of service if they
are able to supply a specially-crafted payload. (CVE-2013-0331)

Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.2. It is
recommended that you restart your system after applying this update.