Bug 749383 (CVE-2011-4083)

Summary: CVE-2011-4083 sos: sosreport is gathering certificate-based RHN entitlement private keys
Product: [Other] Security Response Reporter: David Kutálek <dkutalek>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: agk, bkearney, bmr, dgoodwin, gavin, jlieskov, mjc, prc, psplicha, security-response-team
Target Milestone: ---Keywords: EasyFix, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 08:19:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 750606, 750607    
Bug Blocks: 742493, 750605    

Comment 4 Jan Lieskovsky 2011-10-27 17:28:21 UTC 
The CVE identifier of CVE-2011-4083 has been assigned to this issue.
Comment 10 Jan Lieskovsky 2011-11-01 18:01:52 UTC 
An information disclosure flaw was found in the way sosreport utility of the SOS, set of system support tools, retrieved debugging information for the system, intended to be compressed and sent to the technical support representative. Due to a bug in the way this debugging information was collected, the resulting archive contained not only particular Red Hat Network (RHN) entitlement certificate, but also private key for the entitlement, used to sign the certificate. A remote attacker could use this flaw to obtain unprivileged access to the content, served by this RHN entitlement.
Comment 11 Jan Lieskovsky 2011-11-01 18:03:26 UTC 
This issue did NOT affect the version of the sos package, as shipped with
Red Hat Enterprise Linux 4.

--

This issue affects the versions of the sos package, as shipped with
Red Hat Enterprise Linux 5 and 6.
Comment 18 Tomas Hoger 2011-12-06 08:26:35 UTC 
Lifting embargo.
Comment 19 errata-xmlrpc 2011-12-06 18:11:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1536 https://rhn.redhat.com/errata/RHSA-2011-1536.html
Comment 23 errata-xmlrpc 2012-02-21 03:25:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0153 https://rhn.redhat.com/errata/RHSA-2012-0153.html