As noted in bug #1102633, Red Hat Enterprise Linux 5 does not contain the following preamble when running sosreport: "The generated archive may contain data considered sensitive and its content should be reviewed by the originating organization before being passed to any third party." As a result, a user might assume that the contents of the sosreport archive are sanitized and do not contain any sensitive information. While sosreport does try to remove some common files that contain passwords or other sensitive information (like kerberos keytabs, etc.), it's impossible to catch everything and it is never claimed that it does. MITRE has assigned CVE-2014-3925 to the implementation of sosreport on Red Hat Enterprise Linux 5 precisely for this reason [1]. [1] http://www.openwall.com/lists/oss-security/2014/05/30/3
This was fixed in https://rhn.redhat.com/errata/RHBA-2014-1200.html Statement: This issue did not affect the versions of sosreport as shipped with Red Hat Enterprise Linux 6.