(RHSA-2013:1136) Moderate: rubygem-passenger security update

rubygem-passenger is a web server for Ruby, Python and Node.js
applications.

The rubygem-passenger gem created and re-used temporary directories and
files in an insecure fashion. A local attacker could use these flaws to
conduct a denial of service attack, take over the operation of the
application or, potentially, execute arbitrary code with the privileges of
the user running rubygem-passenger. (CVE-2013-2119, CVE-2013-4136)

Note: By default, OpenShift Enterprise uses polyinstantiation (per user)
for the /tmp/ directory, thereby minimizing the risk and impact of
exploitation by local attackers of both CVE-2013-2119 and CVE-2013-4136.

The CVE-2013-2119 issue was discovered by Michael Scherer of the Red Hat
Regional IT team.

The following packages are included with this update as dependencies of the
updated Ruby 1.8 passenger packages:

rubygem-spruz-0.2.5-4.el6op
rubygem-file-tail-1.0.5-4.el6op

Users of Red Hat OpenShift Enterprise 1.2.2 are advised to upgrade to
these updated packages, which correct these issues. After installing the
updated packages, manual action is required before the update takes effect.
Refer to the Solution section for details.