diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
new file mode 100644
index 0000000..b8101b6
--- /dev/null
+++ b/SOURCES/sos-bz2098639-ovirt-obfuscation_answer_file.patch
@@ -0,0 +1,66 @@
+From 5fd872c64c53af37015f366295e0c2418c969757 Mon Sep 17 00:00:00 2001
+From: Yedidyah Bar David <didi@redhat.com>
+Date: Thu, 26 May 2022 16:43:21 +0300
+Subject: [PATCH] [ovirt] answer files: Filter out all password keys
+
+Instead of hard-coding specific keys and having to maintain them over
+time, replace the values of all keys that have 'password' in their name.
+I think this covers all our current and hopefully future keys. It might
+add "false positives" - keys that are not passwords but have 'password'
+in their name - and I think that's a risk worth taking.
+
+Sadly, the engine admin password prompt's name is
+'OVESETUP_CONFIG_ADMIN_SETUP', which does not include 'password', so has
+to be listed specifically.
+
+A partial list of keys added since the replaced code was written:
+- grafana-related stuff
+- keycloak-related stuff
+- otopi-style answer files
+
+Signed-off-by: Yedidyah Bar David <didi@redhat.com>
+Change-Id: I416c6e4078e7c3638493eb271d08d73a0c22b5ba
+---
+ sos/report/plugins/ovirt.py | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/sos/report/plugins/ovirt.py b/sos/report/plugins/ovirt.py
+index 09647bf1..3b1bb29b 100644
+--- a/sos/report/plugins/ovirt.py
++++ b/sos/report/plugins/ovirt.py
+@@ -241,19 +241,22 @@ class Ovirt(Plugin, RedHatPlugin):
+ r'{key}=********'.format(key=key)
+ )
+
+- # Answer files contain passwords
+- for key in (
+- 'OVESETUP_CONFIG/adminPassword',
+- 'OVESETUP_CONFIG/remoteEngineHostRootPassword',
+- 'OVESETUP_DWH_DB/password',
+- 'OVESETUP_DB/password',
+- 'OVESETUP_REPORTS_CONFIG/adminPassword',
+- 'OVESETUP_REPORTS_DB/password',
++ # Answer files contain passwords.
++ # Replace all keys that have 'password' in them, instead of hard-coding
++ # here the list of keys, which changes between versions.
++ # Sadly, the engine admin password prompt name does not contain
++ # 'password'... so neither does the env key.
++ for item in (
++ 'password',
++ 'OVESETUP_CONFIG_ADMIN_SETUP',
+ ):
+ self.do_path_regex_sub(
+ r'/var/lib/ovirt-engine/setup/answers/.*',
+- r'{key}=(.*)'.format(key=key),
+- r'{key}=********'.format(key=key)
++ re.compile(
++ r'(?P<key>[^=]*{item}[^=]*)=.*'.format(item=item),
++ flags=re.IGNORECASE
++ ),
++ r'\g<key>=********'
+ )
+
+ # aaa profiles contain passwords
+--
+2.27.0
+
diff --git a/SOURCES/sos-bz2098643-crio-output-to-json.patch b/SOURCES/sos-bz2098643-crio-output-to-json.patch
new file mode 100644
index 0000000..2f5dd3b
--- /dev/null
+++ b/SOURCES/sos-bz2098643-crio-output-to-json.patch
@@ -0,0 +1,73 @@
+From c2e66fa4dae51f03c7310ba5278897ddecac1aad Mon Sep 17 00:00:00 2001
+From: Nadia Pinaeva <npinaeva@redhat.com>
+Date: Thu, 2 Jun 2022 15:43:09 +0200
+Subject: [PATCH] crio: switch from parsing output in table format to json
+
+Signed-off-by: Nadia Pinaeva <npinaeva@redhat.com>
+---
+ sos/policies/runtimes/crio.py | 30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/sos/policies/runtimes/crio.py b/sos/policies/runtimes/crio.py
+index 55082d07..4cae1ecc 100644
+--- a/sos/policies/runtimes/crio.py
++++ b/sos/policies/runtimes/crio.py
+@@ -7,6 +7,7 @@
+ # version 2 of the GNU General Public License.
+ #
+ # See the LICENSE file in the source distribution for further information.
++import json
+
+ from sos.policies.runtimes import ContainerRuntime
+ from sos.utilities import sos_get_command_output
+@@ -29,14 +30,15 @@ class CrioContainerRuntime(ContainerRuntime):
+ :type get_all: ``bool``
+ """
+ containers = []
+- _cmd = "%s ps %s" % (self.binary, '-a' if get_all else '')
++ _cmd = "%s ps %s -o json" % (self.binary, '-a' if get_all else '')
+ if self.active:
+ out = sos_get_command_output(_cmd, chroot=self.policy.sysroot)
+- if out['status'] == 0:
+- for ent in out['output'].splitlines()[1:]:
+- ent = ent.split()
++ if out["status"] == 0:
++ out_json = json.loads(out["output"])
++ for container in out_json["containers"]:
+ # takes the form (container_id, container_name)
+- containers.append((ent[0], ent[-3]))
++ containers.append(
++ (container["id"], container["metadata"]["name"]))
+ return containers
+
+ def get_images(self):
+@@ -47,13 +49,21 @@ class CrioContainerRuntime(ContainerRuntime):
+ """
+ images = []
+ if self.active:
+- out = sos_get_command_output("%s images" % self.binary,
++ out = sos_get_command_output("%s images -o json" % self.binary,
+ chroot=self.policy.sysroot)
+ if out['status'] == 0:
+- for ent in out['output'].splitlines():
+- ent = ent.split()
+- # takes the form (image_name, image_id)
+- images.append((ent[0] + ':' + ent[1], ent[2]))
++ out_json = json.loads(out["output"])
++ for image in out_json["images"]:
++ # takes the form (repository:tag, image_id)
++ if len(image["repoTags"]) > 0:
++ for repo_tag in image["repoTags"]:
++ images.append((repo_tag, image["id"]))
++ else:
++ if len(image["repoDigests"]) == 0:
++ image_name = "<none>"
++ else:
++ image_name = image["repoDigests"][0].split("@")[0]
++ images.append((image_name + ":<none>", image["id"]))
+ return images
+
+ def fmt_container_cmd(self, container, cmd, quotecmd):
+--
+2.27.0
+
diff --git a/SPECS/sos.spec b/SPECS/sos.spec
index d0b093e..6b2ea9b 100644
--- a/SPECS/sos.spec
+++ b/SPECS/sos.spec
@@ -5,7 +5,7 @@
Summary: A set of tools to gather troubleshooting information from a system
Name: sos
Version: 4.2
-Release: 19%{?dist}
+Release: 20%{?dist}
Group: Applications/System
Source0: https://github.com/sosreport/sos/archive/%{version}/sos-%{version}.tar.gz
Source1: sos-audit-%{auditversion}.tgz
@@ -45,6 +45,8 @@ Patch21: sos-bz2042966-ovn-proper-package-enablement.patch
Patch22: sos-bz2054882-plugopt-logging-effective-opts.patch
Patch23: sos-bz2055547-honour-plugins-timeout-hardcoded.patch
Patch24: sos-bz2071825-merged-8.6.z.patch
+Patch25: sos-bz2098639-ovirt-obfuscation_answer_file.patch
+Patch26: sos-bz2098643-crio-output-to-json.patch
%description
Sos is a set of tools that gathers information about system
@@ -79,6 +81,8 @@ support technicians and developers.
%patch22 -p1
%patch23 -p1
%patch24 -p1
+%patch25 -p1
+%patch26 -p1
%build
%py3_build
@@ -145,6 +149,12 @@ of the system. Currently storage and filesystem commands are audited.
%ghost /etc/audit/rules.d/40-sos-storage.rules
%changelog
+* Fri Jul 24 2022 Jan Jansky <jjansky@redhat.com> = 4.2-20
+- [ovirt] obfuscate answer file
+ Resolves: bz2098639
+- [crio] from output to json
+ Resolves: bz2098643
+
* Mon May 09 2022 Jan Jansky <jjansky@redhat.com> = 4.2-19
- OCP backport
Resolves: bz2071824