Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1103324 - (CVE-2014-3925) CVE-2014-3925 sos: does not indicate data sent is potentially sensitive on Red Hat Enterprise Linux 5
CVE-2014-3925 sos: does not indicate data sent is potentially sensitive on Re...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140529,reported=2...
: Security
Depends On: 1065468
Blocks: 1101415
  Show dependency treegraph
 
Reported: 2014-05-30 14:13 EDT by Vincent Danen
Modified: 2015-08-22 10:58 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 10:58:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2014-05-30 14:13:18 EDT 
As noted in bug #1102633, Red Hat Enterprise Linux 5 does not contain the following preamble when running sosreport:

"The generated archive may contain data considered sensitive and its
content should be reviewed by the originating organization before being
passed to any third party."

As a result, a user might assume that the contents of the sosreport archive are sanitized and do not contain any sensitive information.  While sosreport does try to remove some common files that contain passwords or other sensitive information (like kerberos keytabs, etc.), it's impossible to catch everything and it is never claimed that it does.

MITRE has assigned CVE-2014-3925 to the implementation of sosreport on Red Hat Enterprise Linux 5 precisely for this reason [1].

[1] http://www.openwall.com/lists/oss-security/2014/05/30/3
Comment 2 Vincent Danen 2015-08-22 10:58:17 EDT 
This was fixed in https://rhn.redhat.com/errata/RHBA-2014-1200.html


Statement:

This issue did not affect the versions of sosreport as shipped with Red Hat Enterprise Linux 6.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.