RHBA-2014:1200 - Bug Fix Advisory

Topic

The updated sos package that fixes several bugs is now available for Red Hat
Enterprise Linux 5.

Description

The sos package contains a set of utilities that gather information from system
hardware, logs, and configuration files. The information can then be used for
diagnostic purposes and debugging.

This update fixes the following bugs:

• Previously, the sosreport utility did not include the output of the "brctl

show" command for all systems. Consequently, information on bridged network
configurations was only available in the report tarball on systems using Xen for
virtualization. With this update, the networking module collects the output of
"brctl show" as well as "brctl showstp" commands for each configured bridge, and
thus bridged network configuration information is now available in the report
tarball for all hosts. (BZ#833406)

• Previous versions of the sosreport utility used the legacy ifconfig command to

detect network interfaces, but ifconfig did not support interfaces named via
biosdevname. As a consequence, no information on biosdevname interfaces was
present in the report tarball. With this update, the sosreport networking
plug-in now uses the "ip" command to detect interfaces of all types, and full
information on biosdevname interfaces is now included. (BZ#980177)

• Previously, the sosreport utility collected the krb5.keytab file from Kerberos

installations. Although encrypted, this file can contain sensitive key material.
With this update, sosreport collects a summary of krb5.keytab using the klist
command but does not collect the krb5.keytab file itself. As a result,
krb5.keytab data is still available but no sensitive information is included in
the report tarball. (BZ#1029017)

• Previously, the sosreport "ds" plug-in collected all directory server logs by

default. Depending on the log configuration, this could lead to very large
report sizes. With this update, sosreport collects by default only the current
version of the directory server logs regarding to "access", "errors" and
"audit", and rotated logs are not collected by default. In addition, the plug-in
now supports an "all_logs" option that can be used to request the old behavior.
As a result, the default report size for directory server hosts is now smaller
and more consistent unless full log data is explicitly requested. (BZ#1086736)

• Prior to this update, the sosreport utility could include password material in

the grub.conf and fstab files collected by the boot loader and file system
plug-ins if present on the collection system. Consequently, passwords, either
plain text or hashed, could be included in the report tarball. With this bug fix
update, password and other secrets are now removed during collection, and
passwords from the fstab or grub.conf files can no longer appear in the report
tarball. (BZ#1107751)

Users of sos are advised to upgrade to this updated package, which fixes these
bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 773350 - sosreport cluster module - free libxml2 python binding objects
• BZ - 782588 - sosreport cluster module - hide libxml2 debug output
• BZ - 783423 - sos: URL in rpm specfile is not responding
• BZ - 833406 - sosreport missing brctl output
• BZ - 916937 - Set global{locking_type=0} when calling lvm2 commands
• BZ - 1099151 - insecure temp files usage in gfs2 plugin
• BZ - 1099520 - Make sos LC_ALL use consistent with later releases
• BZ - 1107751 - backport fstab and grub.conf password stripping from upstream

CVEs

• CVE-2014-3925

References

(none)