4.99. sos
An updated sos package that fixes one security issue is now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The sos package contains a set of tools that gather information from system hardware, logs and configuration files. The information can then be used for diagnostic purposes and debugging.
Security Fix
- CVE-2012-2664
- The sosreport utility collected the Kickstart configuration file ("/root/anaconda-ks.cfg"), but did not remove the root user's password from it before adding the file to the resulting archive of debugging information. An attacker able to access the archive could possibly use this flaw to obtain the root user's password. "/root/anaconda-ks.cfg" usually only contains a hash of the password, not the plain text password.
Note: This issue affected all installations, not only systems installed via Kickstart. A "/root/anaconda-ks.cfg" file is created by all installation types.
The utility also collects yum repository information from "/etc/yum.repos.d" which in uncommon configurations may contain passwords. Any http_proxy password specified in these files will now be automatically removed. Passwords embedded within URLs in these files should be manually removed or the files excluded from the archive.
All users of sos are advised to upgrade to this updated package, which contains a backported patch to correct this issue.
An updated sos package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 5.
The sos package contains a set of tools that gather information from system hardware, logs and configuration files. The information can then be used for diagnostic purposes and debugging.
Bug Fixes
- BZ#782218
- When the rhn-client-tools package was not installed and the
__raisePlugins__
plug-in was enabled on the system, thesosreport
utility failed to collect thedmidecode
files and other hardware information. This update provides a patch to fix this bug andsosreport
now works correctly in the described scenario. - BZ#782247
- When the audit package was not installed and the
/var/log/audit
file did not exist on the system, theauditd
plug-in failed with a traceback error. This bug has been fixed andauditd
now properly handles the missing/var/log/audit
file. - BZ#868008
- When SELinux was disabled on the system, the
sosreport
utility did not collect the information located in thesos_commands/selinux/
directory. This update provides a patch to fix this bug, andsosreport
now correctly collects all the required information in the described scenario. - BZ#906071
- Previous versions of the sos
psacct
(BSD Process Accounting) module collected all process accounting files present on the system, which could, under certain configurations, lead to a very large number of archived files in the process accounting directory. To fix this,psacct
now collects only the most recent accounting file by default. Theall
option has been added to the module which allows the user to request the original behavior if required. As a result, reports generated on hosts with many archived accounting files no longer include this large set of additional data. - BZ#958346
- Previously, the
sosreport
utility did not capture modules located in the/etc/modules.*/
directory including module blacklisting. With this update, a patch has been provided to fix this bug andsosreport
now captures the modules as expected. - BZ#976242
- Previous versions of the
sos
utility did not sanitize special characters in system host names when using the name in file system paths. Consequently, inserting special characters in the system host name could causesos
to generate invalid file system paths and fail to generate a report. With this update, invalid characters are filtered out of system host names andsos
now works correctly on systems having characters disallowed in file system paths present in the host name. - BZ#977187
- When used on PowerPC systems, the
sosreport
utility took a copy of the/boot/yaboot.conf
file but not a copy of the/etc/yaboot.conf
file. Consequently,sosreport
could miss important information present in this file. This update applies a patch to fix this bug and the report fromsosreport
now contains information from/etc/yaboot.conf
if present.
Enhancements
- BZ#840981
- Previous releases of
sos
captured only the/proc/ioports
file detailing registered I/O port regions in use. The/proc/iomem
file additionally describes regions of physical system memory and their use of memory, firmware data, and device I/O traffic. As this data can be important in debugging certain hardware and device-driver problems, bothioports
andiomem
data have been made available within generated reports. - BZ#891325
- Previously, the
sar
plug-in did not set a size restriction for collected data, which could cause thesosreport
utility to fill up the directory for temporary files. This enhancement adds the ability to limit the maximum size of collected data for thesar
plug-in. - BZ#907876
- The ID mapping daemon (
idmapd
) controls identity mappings used by NFSv4 services and is important for diagnostic and troubleshooting efforts. This enhancement provides a new feature that allows thesosreport
utility to analyze theidmapd.conf
file on NFS client and server hosts.
Users of sos are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements.