From 9f7bfc1fb8e719628cf6cbc3726c6598740e485e Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Mon, 30 Mar 2026 10:04:12 -0400
Subject: [PATCH] import CS sos-4.10.2-2.el9

---
 .gitignore                                    |   2 +-
 .sos.metadata                                 |   2 +-
 ...aner-s-obfuscate_file-properly-worki.patch | 101 --------------
 ...nary.patch => 0001-sosreport-binary.patch} |   0
 ...tions-when-PRODUCT_PATH-doesnt-exist.patch |  36 +++++
 ...002-openstack_nova-Improve-scrubbing.patch |  72 ----------
 ...ed-Carry-forward-postproc-from-other.patch | 124 ++++++++++++++++++
 ...gression-57bbc89-in-toolbox-containe.patch |  36 -----
 ...ilename-after-converting-pem-to-text.patch | 121 +++++++++++++++++
 ...-PR4092.patch => 0005-revert-PR4092.patch} |   0
 SPECS/sos.spec                                |  30 ++++-
 11 files changed, 306 insertions(+), 218 deletions(-)
 delete mode 100644 SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch
 rename SOURCES/{sosreport-binary.patch => 0001-sosreport-binary.patch} (100%)
 create mode 100644 SOURCES/0002-gcp-Catch-exceptions-when-PRODUCT_PATH-doesnt-exist.patch
 delete mode 100644 SOURCES/0002-openstack_nova-Improve-scrubbing.patch
 create mode 100644 SOURCES/0003-aap_containerized-Carry-forward-postproc-from-other.patch
 delete mode 100644 SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch
 create mode 100644 SOURCES/0004-cleaner-Update-filename-after-converting-pem-to-text.patch
 rename SOURCES/{0004-revert-PR4092.patch => 0005-revert-PR4092.patch} (100%)

diff --git a/.gitignore b/.gitignore
index 0ab7433..9cead08 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/sos-4.10.0.tar.gz
+SOURCES/sos-4.10.2.tar.gz
 SOURCES/sos-audit-0.3-1.tgz
diff --git a/.sos.metadata b/.sos.metadata
index f5396df..446b769 100644
--- a/.sos.metadata
+++ b/.sos.metadata
@@ -1,2 +1,2 @@
-6042daa19f01ecf2f1e331ae70482653fd500d1f SOURCES/sos-4.10.0.tar.gz
+b9350b4145cbd8936efe88920a70fcca46824145 SOURCES/sos-4.10.2.tar.gz
 00752b68ec5e1141192a9dab7d44377b8d637bf7 SOURCES/sos-audit-0.3-1.tgz
diff --git a/SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch b/SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch
deleted file mode 100644
index e45e19e..0000000
--- a/SOURCES/0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From 3efc8888852225396ebb4f0f9ae95edf4e5badfa Mon Sep 17 00:00:00 2001
-From: Pavel Moravec <pmoravec@redhat.com>
-Date: Wed, 20 Aug 2025 20:07:05 +0200
-Subject: [PATCH] [cleaner] Make cleaner's obfuscate_file properly working
-
-The fix is three-fold:
-- obfuscate_file must clean file content and not filename
-- cleaner's main_archive must be populated by parsers first
-- obfuscate_file dont need short_name as it is always called with
-  implicit value of short_name that cleaner will strip itself
-
-Closes: #4109
-Closes: #4110
-
-Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
----
- sos/cleaner/__init__.py   | 7 ++++---
- sos/collector/__init__.py | 9 +++------
- sos/report/__init__.py    | 9 +++------
- 3 files changed, 10 insertions(+), 15 deletions(-)
-
-diff --git a/sos/cleaner/__init__.py b/sos/cleaner/__init__.py
-index 4a1470b5..dcd60c66 100644
---- a/sos/cleaner/__init__.py
-+++ b/sos/cleaner/__init__.py
-@@ -537,7 +537,7 @@ third party.
-                 logfile.write(line)
- 
-         if archive:
--            self.obfuscate_file(log_name, short_name="sos_logs/cleaner.log")
-+            self.obfuscate_file(log_name)
-             self.archive.add_file(log_name, dest="sos_logs/cleaner.log")
- 
-     def get_new_checksum(self, archive_path):
-@@ -678,6 +678,7 @@ third party.
-         for prepper in self.get_preppers():
-             for archive in self.report_paths:
-                 self._prepare_archive_with_prepper(archive, prepper)
-+        self.main_archive.set_parsers(self.parsers)
- 
-     def obfuscate_report(self, archive):  # pylint: disable=too-many-branches
-         """Individually handle each archive or directory we've discovered by
-@@ -784,8 +785,8 @@ third party.
-             self.ui_log.info("Exception while processing "
-                              f"{archive.archive_name}: {err}")
- 
--    def obfuscate_file(self, filename, short_name):
--        self.main_archive.obfuscate_filename(filename, short_name)
-+    def obfuscate_file(self, filename):
-+        self.main_archive.obfuscate_arc_files([filename])
- 
-     def obfuscate_symlinks(self, archive):
-         """Iterate over symlinks in the archive and obfuscate their names.
-diff --git a/sos/collector/__init__.py b/sos/collector/__init__.py
-index 7a414501..e6b55f20 100644
---- a/sos/collector/__init__.py
-+++ b/sos/collector/__init__.py
-@@ -1405,16 +1405,13 @@ this utility or remote systems that it connects to.
-             if do_clean:
-                 _dir = os.path.join(self.tmpdir, self.archive._name)
-                 cleaner.obfuscate_file(
--                    os.path.join(_dir, 'sos_logs', 'sos.log'),
--                    short_name='sos.log'
-+                        os.path.join(_dir, 'sos_logs', 'sos.log')
-                 )
-                 cleaner.obfuscate_file(
--                    os.path.join(_dir, 'sos_logs', 'ui.log'),
--                    short_name='ui.log'
-+                    os.path.join(_dir, 'sos_logs', 'ui.log')
-                 )
-                 cleaner.obfuscate_file(
--                    os.path.join(_dir, 'sos_reports', 'manifest.json'),
--                    short_name='manifest.json'
-+                    os.path.join(_dir, 'sos_reports', 'manifest.json')
-                 )
- 
-             arc_name = self.archive.finalize(method=None)
-diff --git a/sos/report/__init__.py b/sos/report/__init__.py
-index 074afcff..9fb94d6a 100644
---- a/sos/report/__init__.py
-+++ b/sos/report/__init__.py
-@@ -1571,13 +1571,10 @@ class SoSReport(SoSComponent):
-         # Now, separately clean the log files that cleaner also wrote to
-         if do_clean:
-             _dir = os.path.join(self.tmpdir, self.archive._name)
--            cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'sos.log'),
--                                   short_name='sos.log')
--            cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'ui.log'),
--                                   short_name='ui.log')
-+            cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'sos.log'))
-+            cleaner.obfuscate_file(os.path.join(_dir, 'sos_logs', 'ui.log'))
-             cleaner.obfuscate_file(
--                os.path.join(_dir, 'sos_reports', 'manifest.json'),
--                short_name='manifest.json'
-+                    os.path.join(_dir, 'sos_reports', 'manifest.json')
-             )
- 
-         # Now, just (optionally) pack the report and print work outcome; let
--- 
-2.49.0
-
diff --git a/SOURCES/sosreport-binary.patch b/SOURCES/0001-sosreport-binary.patch
similarity index 100%
rename from SOURCES/sosreport-binary.patch
rename to SOURCES/0001-sosreport-binary.patch
diff --git a/SOURCES/0002-gcp-Catch-exceptions-when-PRODUCT_PATH-doesnt-exist.patch b/SOURCES/0002-gcp-Catch-exceptions-when-PRODUCT_PATH-doesnt-exist.patch
new file mode 100644
index 0000000..006c44c
--- /dev/null
+++ b/SOURCES/0002-gcp-Catch-exceptions-when-PRODUCT_PATH-doesnt-exist.patch
@@ -0,0 +1,36 @@
+From 178d7fb1296dbcb744867d1b8a29678d1a3b0820 Mon Sep 17 00:00:00 2001
+From: Pavel Moravec <pmoravec@redhat.com>
+Date: Mon, 26 Jan 2026 12:14:19 +0100
+Subject: [PATCH] [gcp] Catch exceptions when PRODUCT_PATH doesnt exist
+
+Catch exceptions when /sys/devices/virtual/dmi/id/product_name does not
+exist on a (rare) system, while user manually enabled gcp plugin.
+
+Closes: #4215
+
+Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
+---
+ sos/report/plugins/gcp.py | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sos/report/plugins/gcp.py b/sos/report/plugins/gcp.py
+index 24b50323..43ceec00 100644
+--- a/sos/report/plugins/gcp.py
++++ b/sos/report/plugins/gcp.py
+@@ -38,8 +38,11 @@ class GCP(Plugin, IndependentPlugin):
+         Checks if this plugin should be executed based on the presence of
+         GCE entry in sysfs.
+         """
+-        with open(self.PRODUCT_PATH, encoding='utf-8') as sys_file:
+-            return "Google Compute Engine" in sys_file.read()
++        try:
++            with open(self.PRODUCT_PATH, encoding='utf-8') as sys_file:
++                return "Google Compute Engine" in sys_file.read()
++        except OSError:
++            return False
+ 
+     def setup(self):
+         """
+-- 
+2.52.0
+
diff --git a/SOURCES/0002-openstack_nova-Improve-scrubbing.patch b/SOURCES/0002-openstack_nova-Improve-scrubbing.patch
deleted file mode 100644
index 91b376c..0000000
--- a/SOURCES/0002-openstack_nova-Improve-scrubbing.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From 6378a4ee9fa3eeaf384bd87fc87e24a0c5608658 Mon Sep 17 00:00:00 2001
-From: Pavel Moravec <pmoravec@redhat.com>
-Date: Tue, 19 Aug 2025 09:08:15 +0200
-Subject: [PATCH] [openstack_nova] Improve scrubbing
-
-Improve postproc obfuscation in two ways:
-- apply postproc also to /var/lib/openstack/config/nova on RedHatNova
-- obfuscate just password from transport_url, not the whole URL
-
-Closes: #4108
-
-Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
----
- sos/report/plugins/openstack_nova.py | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/sos/report/plugins/openstack_nova.py b/sos/report/plugins/openstack_nova.py
-index 728aed1e..2635866e 100644
---- a/sos/report/plugins/openstack_nova.py
-+++ b/sos/report/plugins/openstack_nova.py
-@@ -29,6 +29,7 @@ class OpenStackNova(Plugin):
-     var_puppet_gen = "/var/lib/config-data/puppet-generated/nova"
-     service_name = "openstack-nova-api.service"
-     apachepkg = None
-+    postproc_dirs = ["/etc/nova/",]
- 
-     def setup(self):
- 
-@@ -141,12 +142,13 @@ class OpenStackNova(Plugin):
-         self.add_copy_spec(specs)
- 
-     def apply_regex_sub(self, regexp, subst):
--        """ Apply regex substitution """
--        self.do_path_regex_sub("/etc/nova/*", regexp, subst)
--        for npath in ['', '_libvirt', '_metadata', '_placement']:
--            self.do_path_regex_sub(
--                f"{self.var_puppet_gen}{npath}/etc/nova/*",
--                regexp, subst)
-+        """ Apply regex substitution to all sensitive dirs """
-+        for _dir in self.postproc_dirs:
-+            self.do_path_regex_sub(f"{_dir}/*", regexp, subst)
-+            for npath in ['', '_libvirt', '_metadata', '_placement']:
-+                self.do_path_regex_sub(
-+                    f"{self.var_puppet_gen}{npath}{_dir}/*",
-+                    regexp, subst)
- 
-     def postproc(self):
-         protect_keys = [
-@@ -155,10 +157,9 @@ class OpenStackNova(Plugin):
-             "xenapi_connection_password", "password", "host_password",
-             "vnc_password", "admin_password", "connection_password",
-             "memcache_secret_key", "s3_secret_key",
--            "metadata_proxy_shared_secret", "fixed_key", "transport_url",
--            "rbd_secret_uuid"
-+            "metadata_proxy_shared_secret", "fixed_key", "rbd_secret_uuid"
-         ]
--        connection_keys = ["connection", "sql_connection"]
-+        connection_keys = ["connection", "sql_connection", "transport_url"]
- 
-         join_con_keys = "|".join(connection_keys)
- 
-@@ -214,6 +215,7 @@ class RedHatNova(OpenStackNova, RedHatPlugin):
-     apachepkg = "httpd"
-     nova = False
-     packages = ('openstack-selinux',)
-+    postproc_dirs = ["/etc/nova/", "/var/lib/openstack/config/nova"]
- 
-     def setup(self):
-         super().setup()
--- 
-2.49.0
-
diff --git a/SOURCES/0003-aap_containerized-Carry-forward-postproc-from-other.patch b/SOURCES/0003-aap_containerized-Carry-forward-postproc-from-other.patch
new file mode 100644
index 0000000..8924e7e
--- /dev/null
+++ b/SOURCES/0003-aap_containerized-Carry-forward-postproc-from-other.patch
@@ -0,0 +1,124 @@
+From 0c237bcaf476c9b5a28165b9124e08163af707ab Mon Sep 17 00:00:00 2001
+From: Pavel Moravec <pmoravec@redhat.com>
+Date: Fri, 30 Jan 2026 21:50:52 +0100
+Subject: [PATCH] [aap_containerized] Carry forward postproc from other AAP
+ plugins
+
+Secrets obfuscations from 2a46e99 commit must be reflected in
+containerized plugin.
+
+Further, fix a typo in a regexp, to properly obfuscate:
+
+EMAIL_HOST_PASSWORD = 'FAKESECRET!!!'
+
+in (both) controller's settings.
+
+Closes: #4213
+
+Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
+---
+ sos/report/plugins/aap_containerized.py | 37 +++++++++++++++++++------
+ sos/report/plugins/aap_controller.py    |  4 +--
+ 2 files changed, 30 insertions(+), 11 deletions(-)
+
+diff --git a/sos/report/plugins/aap_containerized.py b/sos/report/plugins/aap_containerized.py
+index 7baa5fb3..0c85d4b2 100644
+--- a/sos/report/plugins/aap_containerized.py
++++ b/sos/report/plugins/aap_containerized.py
+@@ -41,6 +41,7 @@ class AAPContainerized(Plugin, RedHatPlugin):
+     def setup(self):
+         # Check if username is passed as argument
+         username = self.get_option("username")
++        self.aap_directory_name = self.get_option("directory")
+         if not username:
+             self._log_warn("AAP username is missing, use '-k "
+                            "aap_containerized.username=<user>' to set it")
+@@ -61,16 +62,15 @@ class AAPContainerized(Plugin, RedHatPlugin):
+                     return
+ 
+         # Grab aap installation directory under user's home
+-        if not self.get_option("directory"):
++        if not self.aap_directory_name:
+             user_home_directory = os.path.expanduser(f"~{username}")
+-            aap_directory_name = self.path_join(user_home_directory, "aap")
+-        else:
+-            aap_directory_name = self.get_option("directory")
++            self.aap_directory_name = self.path_join(user_home_directory,
++                                                     "aap")
+ 
+         # Don't collect cert and key files from the installation directory
+-        if self.path_exists(aap_directory_name):
++        if self.path_exists(self.aap_directory_name):
+             forbidden_paths = [
+-                self.path_join(aap_directory_name, path)
++                self.path_join(self.aap_directory_name, path)
+                 for path in [
+                     "containers",
+                     "tls",
+@@ -93,10 +93,10 @@ class AAPContainerized(Plugin, RedHatPlugin):
+                 ]
+             ]
+             self.add_forbidden_path(forbidden_paths)
+-            self.add_copy_spec(aap_directory_name)
++            self.add_copy_spec(self.aap_directory_name)
+         else:
+-            self._log_error(f"Directory {aap_directory_name} does not exist "
+-                            "or invalid absolute path provided")
++            self._log_error(f"Directory {self.aap_directory_name} does not "
++                            "exist or invalid absolute path provided.")
+ 
+         # Gather output of following podman commands as user
+         podman_commands = [
+@@ -200,6 +200,24 @@ class AAPContainerized(Plugin, RedHatPlugin):
+         return False
+ 
+     def postproc(self):
++        # remove controller email password
++        file_path = f"{self.aap_directory_name}/controller/etc/settings.py"
++        jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
++        repl = r"\1********"
++        self.do_path_regex_sub(file_path, jreg, repl)
++
++        # remove gateway database password
++        file_path = f"{self.aap_directory_name}/gateway/etc/settings.py"
++        jreg = r"(\s*'PASSWORD'\s*:\s*)('.*')"
++        repl = r"\1********"
++        self.do_path_regex_sub(file_path, jreg, repl)
++
++        # Mask EDA optional secrets
++        file_path = f"{self.aap_directory_name}/eda/etc/settings.yaml"
++        regex = r"(\s*)(PASSWORD|MQ_USER_PASSWORD|SECRET_KEY)(:\s*)(.*$)"
++        replacement = r'\1\2\3********'
++        self.do_path_regex_sub(file_path, regex, replacement)
++
+         # Mask PASSWORD from print_settings command
+         jreg = r'((["\']?PASSWORD["\']?\s*[:=]\s*)[rb]?["\'])(.*?)(["\'])'
+         self.do_cmd_output_sub(
+@@ -214,4 +232,5 @@ class AAPContainerized(Plugin, RedHatPlugin):
+             jreg,
+             r'\1**********\5')
+ 
++
+ # vim: set et ts=4 sw=4 :
+diff --git a/sos/report/plugins/aap_controller.py b/sos/report/plugins/aap_controller.py
+index afb2508c..e2b5e39e 100644
+--- a/sos/report/plugins/aap_controller.py
++++ b/sos/report/plugins/aap_controller.py
+@@ -83,12 +83,12 @@ class AAPControllerPlugin(Plugin, RedHatPlugin):
+         self.do_path_regex_sub("/etc/tower/conf.d/postgres.py", jreg, repl)
+ 
+         # remove email password
+-        jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
++        jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
+         repl = r"\1********"
+         self.do_path_regex_sub("/etc/tower/settings.py", jreg, repl)
+ 
+         # remove email password (if customized)
+-        jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
++        jreg = r"(EMAIL_HOST_PASSWORD\s*=\s*)\'(.+)\'"
+         repl = r"\1********"
+         self.do_path_regex_sub("/etc/tower/conf.d/custom.py", jreg, repl)
+ 
+-- 
+2.52.0
+
diff --git a/SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch b/SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch
deleted file mode 100644
index cfdd658..0000000
--- a/SOURCES/0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From c0e514894b2c35c2b36f247f8b84dd4311034fb6 Mon Sep 17 00:00:00 2001
-From: Pavel Moravec <pmoravec@redhat.com>
-Date: Fri, 12 Sep 2025 11:36:02 +0200
-Subject: [PATCH] [component] Fix regression 57bbc89 in toolbox containers
-
-57bbc89 commit set tmpdir to source the dir from Policy. Which means
-HOST sysroot directory is newly applied already in
-LinuxPolicy._container_init method.
-
-Removed lines mimic the same in a worse way, so let drop them here.
-
-Resolves: #4116
-Closes: #4118
-
-Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
----
- sos/component.py | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/sos/component.py b/sos/component.py
-index a110c270..3e53fe3d 100644
---- a/sos/component.py
-+++ b/sos/component.py
-@@ -170,9 +170,6 @@ class SoSComponent():
-         else:
-             tmpdir = os.getenv('TMPDIR', None) or self.policy.get_tmp_dir(None)
- 
--        if os.getenv('HOST', None) and os.getenv('container', None):
--            tmpdir = os.path.join(os.getenv('HOST'), tmpdir.lstrip('/'))
--
-         # no standard library method exists for this, so call out to stat to
-         # avoid bringing in a dependency on psutil
-         self.tmpfstype = shell_out(
--- 
-2.49.0
-
diff --git a/SOURCES/0004-cleaner-Update-filename-after-converting-pem-to-text.patch b/SOURCES/0004-cleaner-Update-filename-after-converting-pem-to-text.patch
new file mode 100644
index 0000000..1781c61
--- /dev/null
+++ b/SOURCES/0004-cleaner-Update-filename-after-converting-pem-to-text.patch
@@ -0,0 +1,121 @@
+From 0c7626683ae2dcbc5f7b0f00e0980895e0e1ce0d Mon Sep 17 00:00:00 2001
+From: Pavel Moravec <pmoravec@redhat.com>
+Date: Mon, 2 Feb 2026 14:03:26 +0100
+Subject: [PATCH] [cleaner] Update filename after converting pem to text
+
+When converting PEM certificate to text, we need to update filename and
+short_name to the newly created file, to ensure cleaner handles the
+right file.
+
+Also, rename misleading short_name to rel_name as it keeps the rel.path
+to the filename.
+
+Closes: #4219
+Relevant: RHEL-145301
+
+Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
+---
+ sos/cleaner/archives/__init__.py | 34 +++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/sos/cleaner/archives/__init__.py b/sos/cleaner/archives/__init__.py
+index e918e2e3..af6ed222 100644
+--- a/sos/cleaner/archives/__init__.py
++++ b/sos/cleaner/archives/__init__.py
+@@ -156,18 +156,18 @@ class SoSObfuscationArchive():
+         for filename in flist:
+             self.log_debug(f"    pid={os.getpid()}: obfuscating {filename}")
+             try:
+-                short_name = filename.split(self.archive_name + '/')[1]
+-                if self.should_skip_file(short_name):
++                rel_name = os.path.relpath(filename, start=self.extracted_path)
++                if self.should_skip_file(rel_name):
+                     continue
+                 if (not self.keep_binary_files and
+-                        self.should_remove_file(short_name)):
++                        self.should_remove_file(rel_name)):
+                     # We reach this case if the option --keep-binary-files
+                     # was not used, and the file is in a list to be removed
+-                    self.remove_file(short_name)
++                    self.remove_file(rel_name)
+                     continue
+                 if (self.keep_binary_files and
+                         (file_is_binary(filename) or
+-                         self.should_remove_file(short_name))):
++                         self.should_remove_file(rel_name))):
+                     # We reach this case if the option --keep-binary-files
+                     # is used. In this case we want to make sure
+                     # the cleaner doesn't try to clean a binary file
+@@ -180,28 +180,32 @@ class SoSObfuscationArchive():
+                 if is_certificate:
+                     if is_certificate == "certificatekey":
+                         # Always remove certificate Key files
+-                        self.remove_file(short_name)
++                        self.remove_file(rel_name)
+                         continue
+                     if self.treat_certificates == "keep":
+                         continue
+                     if self.treat_certificates == "remove":
+-                        self.remove_file(short_name)
++                        self.remove_file(rel_name)
+                         continue
+                     if self.treat_certificates == "obfuscate":
+-                        self.certificate_to_text(filename)
++                        # since the original filename is deleted, we must
++                        # update both "filename" and "rel_name"
++                        filename = self.certificate_to_text(filename)
++                        rel_name = os.path.relpath(filename,
++                                                   start=self.extracted_path)
+                 _parsers = [
+                     _p for _p in self.parsers if not
+                     any(
+-                        _skip.match(short_name) for _skip in _p.skip_patterns
++                        _skip.match(rel_name) for _skip in _p.skip_patterns
+                     )
+                 ]
+                 if not _parsers:
+                     self.log_debug(
+-                        f"Skipping obfuscation of {short_name or filename} "
++                        f"Skipping obfuscation of {rel_name or filename} "
+                         f"due to matching file skip pattern"
+                     )
+                     continue
+-                self.log_debug(f"Obfuscating {short_name or filename}")
++                self.log_debug(f"Obfuscating {rel_name or filename}")
+                 subs = 0
+                 with tempfile.NamedTemporaryFile(mode='w', dir=self.tmpdir) \
+                         as tfile:
+@@ -214,13 +218,13 @@ class SoSObfuscationArchive():
+                                 tfile.write(line)
+                             except Exception as err:
+                                 self.log_debug(f"Unable to obfuscate "
+-                                               f"{short_name}: {err}")
++                                               f"{rel_name}: {err}")
+                     tfile.seek(0)
+                     if subs:
+                         shutil.copyfile(tfile.name, filename)
+                         self.update_sub_count(subs)
+ 
+-                self.obfuscate_filename(short_name, filename)
++                self.obfuscate_filename(rel_name, filename)
+ 
+             except Exception as err:
+                 self.log_debug(f"    pid={os.getpid()}: caught exception on "
+@@ -309,11 +313,13 @@ class SoSObfuscationArchive():
+         """Convert a certificate to text. This is used when cleaner encounters
+         a certificate file and the option 'treat_certificates' is 'obfuscate'.
+         """
++        out_fn = f"{fname}.text"
+         self.log_info(f"Converting certificate file '{fname}' to text")
+         sos_get_command_output(
+             f"openssl storeutl -noout -text -certs {str(fname)}",
+-            to_file=f"{fname}.text")
++            to_file=out_fn)
+         os.remove(fname)
++        return out_fn
+ 
+     def remove_file(self, fname):
+         """Remove a file from the archive. This is used when cleaner encounters
+-- 
+2.52.0
+
diff --git a/SOURCES/0004-revert-PR4092.patch b/SOURCES/0005-revert-PR4092.patch
similarity index 100%
rename from SOURCES/0004-revert-PR4092.patch
rename to SOURCES/0005-revert-PR4092.patch
diff --git a/SPECS/sos.spec b/SPECS/sos.spec
index cdcf398..fb01424 100644
--- a/SPECS/sos.spec
+++ b/SPECS/sos.spec
@@ -4,8 +4,8 @@
 
 Summary: A set of tools to gather troubleshooting information from a system
 Name: sos
-Version: 4.10.0
-Release: 4%{?dist}
+Version: 4.10.2
+Release: 2%{?dist}
 Group: Applications/System
 Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
 Source1: sos-audit-%{auditversion}.tgz
@@ -22,11 +22,11 @@ Recommends: python3-pexpect
 Recommends: python3-pyyaml
 Conflicts: vdsm < 4.40
 Obsoletes: sos-collector <= 1.9
-Patch1: sosreport-binary.patch
-Patch2: 0001-cleaner-Make-cleaner-s-obfuscate_file-properly-worki.patch
-Patch3: 0002-openstack_nova-Improve-scrubbing.patch
-Patch4: 0003-component-Fix-regression-57bbc89-in-toolbox-containe.patch
-Patch5: 0004-revert-PR4092.patch
+Patch1: 0001-sosreport-binary.patch
+Patch2: 0002-gcp-Catch-exceptions-when-PRODUCT_PATH-doesnt-exist.patch
+Patch3: 0003-aap_containerized-Carry-forward-postproc-from-other.patch
+Patch4: 0004-cleaner-Update-filename-after-converting-pem-to-text.patch
+Patch5: 0005-revert-PR4092.patch
 
 %description
 Sos is a set of tools that gathers information about system
@@ -114,6 +114,22 @@ of the system.  Currently storage and filesystem commands are audited.
 %license LICENSE
 
 %changelog
+* Thu Feb 26 2026 Jan Jansky <jjansky@redhat.com> = 4.10.2-2
+- Update to 4.10.2-2
+  Resolves: RHEL-152471
+
+* Thu Jan 22 2026 Jan Jansky <jjansky@redhat.com> = 4.10.2-1
+- Update to 4.10.2-1
+  Resolves: RHEL-142635
+
+* Fri Dec 05 2025 Jan Jansky <jjansky@redhat.com> = 4.10.1-2
+- Update to 4.10.1-2
+  Resolves: RHEL-121474
+
+* Tue Nov 25 2025 Jan Jansky <jjansky@redhat.com> = 4.10.1-1
+- Update to 4.10.1-1
+  Resolves: RHEL-121474
+
 * Tue Sep 23 2025 Jan Jansky <jjansky@redhat.com> = 4.10.0-4
 - Update to 4.10.0-4
   Resolves: RHEL-113795