Escalated to Bugzilla from IssueTracker
This has a security conseqence as it breaks a security promise (sysreport says that it's goals are not to "the invasion of the user's privacy; and the collection of information that could be detrimental to the integrity of the system." I don't see this is a Sev1 however, it's security severity "moderate" at the most.
i have taken a look at up2date file, there are 2 lines in this file. .. proxyPassword[comment]=The password to use for an authenticated proxy proxyPassword= .. with following lines it should fix this problem. cat up2date | grep -vi 'password' > up2date.newfile mv up2date.newfile up2date
You should be able to get most of the relevant data out of my patch above I think (which Florian posted). In /etc/sysconfig/rhn/up2date there should be a line that matches the regex: \(.*password=\)\(.*\) The second part of that regex ( the \(.*\) should be the string representing the password. The patch above adds a fixup function to sysreport to allow you to easily strip out unwanted data from sensitive files like this
Neil, i have fixed the match string in your patch, so it works fine now. i have already committed the changes in CVS. Should i do security errata for this, or just add into next RHEL-update?
Since this affects all RHEL I'd prefer a single async errata for this.
Since this flaw breaks a security promise it deserves a CVE name, therefore I've assigned CAN-2005-1760 to this issue.
When run by the root user, sysreport includes the contents of the /etc/sysconfig/rhn/up2date configuration file. If up2date has been configured to connect to a proxy server that requires an authentication password, that password is included in plain text in the system report. The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1760 to this issue.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-502.html